Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 48
Members: 0
Total: 48
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> is there a way to bypass protection? Goto page Previous1, 2, 3Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Mon Apr 18, 2005 11:30 am Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




it would be more "ethical" advising developers before releasing exploit, but i don't think many people will upgrade.
i've got an idea, but i need to test Wink
i was thinking about sending a part of the string coded in base 64 and the rest unencoded, so the filter shouldn't work..
also i heard about JOIN queryies but i need to study more sql
View user's profile Send private message Visit poster's website
PostPosted: Mon Apr 18, 2005 12:30 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




There is one thing, i wanted to say out: phpnuke developers and/or nuke fix developers are not very ethical people Mad

Let' see - base64 coding/decoding has been always big security hole to all the phpnuke engine. Many cool sql injections and xss cases are related to base64. So, when i started to work with phpnuke (~2003 december), i wrote some sanityze code to mainfile.php for finally get ride with all the base64 bugs. It was 100% private code and it was not spreading in Internet.
Here it is:

Code:

#############################################################
#--------------- Base64 sanitize by Waraxe -----------------
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}

if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
#############################################################


In some moment, somewhere in year 2004 i posted that code fragment to some forum (don't remember details) and it was spreading over the net.
Let's make google search:

http://www.google.com/search?hl=en&lr=&q=%22Base64+sanitize+by+Waraxe%22

and we can see, that there is more than 160 results.
And for my surprise, when i looked at phpnuke source code one day:

Code:

if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}

if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}


Cool, is'nt? 100% copy of my code, but without any refference to me or without any credit. Let's look at first lines in "mainfile.php":

Code:

/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/


Nice, eh? They just used my code snippet without any mention of author??
Ethical?? Hell, no Rolling Eyes

By the way, download some new phpnuke package, like 7.5 or 7.6 and try to find strings "waraxe" or "janek" from ALL OF THE PHPNUKE SOURCE. Heh, guess what?????????? Not a word about me. Think for one f***ing minute, how many f***ing holes i have discovered in nuke?
Where are credits in changelog? Eh??

F***ck thi s**it, i am little bit mad right now Evil or Very Mad Evil or Very Mad Twisted Evil Twisted Evil Twisted Evil

So, fu*k ethics!!! I will release advisory as soon as possible Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 18, 2005 12:38 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




revenge is a best dish when served cold lol
or something like this lol
i hate people "stealing" credits, it happened me when i coded many very bad program for the DC p2p sharing network...
by the way, were my ideas totally useless or there was something right ? Very Happy
View user's profile Send private message Visit poster's website
PostPosted: Mon Apr 18, 2005 12:54 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Well, let' see:

1. JOIN tricks instead of UNION trics - this is not useful most of the time.
I am telling this by my own experience - i know theory and i have done experiements with JOIN, but there are very restrictive mitigating factors in SQL query syntax and in real life i don't remember any case, when JOIN trick worked ...
2. base64 coding mixed with other methods - this is not working idea, i think, because for base64 stuff to work, there must be code fragment, which will decode first. I can't understand, how can you somehow "put together" different sql query parts, coming from various sources...
Maybe i just talking bs right now, i don't know...

Anyway, feel free to experiment - i have discovered many cool bugs just by experimenting, without detailed planning Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Apr 19, 2005 1:17 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




waraxe wrote:
There is one thing, i wanted to say out: phpnuke developers and/or nuke fix developers are not very ethical people Mad

Let' see - base64 coding/decoding has been always big security hole to all the phpnuke engine. Many cool sql injections and xss cases are related to base64. So, when i started to work with phpnuke (~2003 december), i wrote some sanityze code to mainfile.php for finally get ride with all the base64 bugs. It was 100% private code and it was not spreading in Internet.
Here it is:

Code:

#############################################################
#--------------- Base64 sanitize by Waraxe -----------------
if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}

if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}
#############################################################


In some moment, somewhere in year 2004 i posted that code fragment to some forum (don't remember details) and it was spreading over the net.
Let's make google search:

http://www.google.com/search?hl=en&lr=&q=%22Base64+sanitize+by+Waraxe%22

and we can see, that there is more than 160 results.
And for my surprise, when i looked at phpnuke source code one day:

Code:

if(isset($admin))
{
$admin = base64_decode($admin);
$admin = addslashes($admin);
$admin = base64_encode($admin);
}

if(isset($user))
{
$user = base64_decode($user);
$user = addslashes($user);
$user = base64_encode($user);
}


Cool, is'nt? 100% copy of my code, but without any refference to me or without any credit. Let's look at first lines in "mainfile.php":

Code:

/************************************************************************/
/* Additional security checking code 2003 by chatserv */
/* http://www.nukefixes.com -- http://www.nukeresources.com */
/************************************************************************/


Nice, eh? They just used my code snippet without any mention of author??
Ethical?? Hell, no Rolling Eyes

By the way, download some new phpnuke package, like 7.5 or 7.6 and try to find strings "waraxe" or "janek" from ALL OF THE PHPNUKE SOURCE. Heh, guess what?????????? Not a word about me. Think for one f***ing minute, how many f***ing holes i have discovered in nuke?
Where are credits in changelog? Eh??

F***ck thi s**it, i am little bit mad right now Evil or Very Mad Evil or Very Mad Twisted Evil Twisted Evil Twisted Evil

So, fu*k ethics!!! I will release advisory as soon as possible Wink

Yes this is bad....
the same was with me... i also gave some adv about holes in phpnuke....
First i send it to nukefixes.com with patchs and said then to check the patchs... but i get no answer about my patchs ... so i was waiting and waiting.... and no response...
Then i public the adv and patchs to phpnuke....
On forum nukefixes started to check my patchs...
and everything was good but no credits in code that patchs was from me.... sad but true...
The phpnuke security sucks .... they do not care about security...
You can send them a adv but they only answer "ok fine thanks for info" or say nothing...
When I and my friend send advisories about holes in Postnuke, the answer was quick. Postnuke team really care about security... they working with us to patch the postnuke and still work and still we have contact... by the way the postnuke is better written then phpnuke....
View user's profile Send private message
PostPosted: Tue Apr 19, 2005 1:45 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




Years ago I got the same problem but worst!
I made messenger tools in VisualBasic (when messenger version was 4.x).
Simple tools but very usefull: MassMessenger, MSN Fake Apps, MSN IP Stealer, etc...But some lamer used the resource editor to change my name (I was "MaDMaX" then) in all the images and strings to put his one, and distributed the tools over the net...The tools got very popular...but whith this idiot as the author... Crying or Very sad

The same occured with the first hacking guide I wrote in 1999. It was the "NetBIOS Hacking Guide Step-by-step by MaDMaX". I published in my web page and....the guide has been copyed in many lamer sites but without my sign!!! (One day I started to find with google the guide and I found that only one person mentioned my name in the guide, and about 6 without author, and about 8 with the author changed!!!).

I know that my case is diferent because lamers are not ethical for definition, but phpnuke developers MUST BE ethical, so If they're not, REVENGE! Twisted Evil


Last edited by murdock on Tue Apr 19, 2005 1:47 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Tue Apr 19, 2005 1:46 pm Reply with quote
KingOfSka
Advanced user
Advanced user
Joined: Mar 13, 2005
Posts: 61




in fact for phpNuke there are tons of public exploit, for postNuke there are less Wink
View user's profile Send private message Visit poster's website
PostPosted: Tue Apr 19, 2005 4:58 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yeah, i have good experience with many developers: postnuke, coppermine, phorum, phpbb. And most ignorant ones are phpnuke and xmbforum. Just my opinion Rolling Eyes
By the way, i will release advisory #42 tomorrow, and it's about "multiple vulnerabilities" in Sentinel Laughing
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Apr 19, 2005 6:41 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




"multiple vulnerabilities in Sentinel" <- YUUUUUJUUUUUUUUU!!!!!!!! Wink
View user's profile Send private message
PostPosted: Wed Apr 20, 2005 1:58 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




not only that ,
i use to do some pen test / black box test against some website or server
yes, i do it illegaly, but i dont do any harm.. just testing
when ive allready done , then i give them (Admin) a clue or something "Open" on their machine , what did they said to me ?
dont try to teach me, go away, you are not smarter enough ..
and many ..

See ?

few days later , their server/ was defaced, many files deleted n bla bla bla
so ??

whats wrong ?

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Wed Apr 20, 2005 2:05 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




y3dips wrote:
not only that ,
i use to do some pen test / black box test against some website or server
yes, i do it illegaly, but i dont do any harm.. just testing
when ive allready done , then i give them (Admin) a clue or something "Open" on their machine , what did they said to me ?
dont try to teach me, go away, you are not smarter enough ..
and many ..

See ?

few days later , their server/ was defaced, many files deleted n bla bla bla
so ??

whats wrong ?


Yes, my experience tells me, that ~25% admins/webmasters respond friendly and patch the holes, ~25% respond unfirendly AND patch the holes, or are not responding BUT PATCHING anyway. And most interesting are those 50% - they just are not responding and are not patching too Rolling Eyes

Guess what - about 6 months ago i spotted some potential flaws in Estonian bank website, i sent email and got zippo answers...
Now, half year later, those holes exists and are not yet patched Razz
Nonsense....
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 20, 2005 2:19 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




waraxe wrote:

Yes, my experience tells me, that ~25% admins/webmasters respond friendly and patch the holes, ~25% respond unfirendly AND patch the holes, or are not responding BUT PATCHING anyway. And most interesting are those 50% - they just are not responding and are not patching too Rolling Eyes

Guess what - about 6 months ago i spotted some potential flaws in Estonian bank website, i sent email and got zippo answers...
Now, half year later, those holes exists and are not yet patched Razz
Nonsense....


sorry i forgot, a few of them would like to say thx n ask how to patch (Hell, yeah ? Laughing)

btw, about your advisories.
like you said in other topic Rolling Eyes
sometimes we have to makes them feel it , after that just hoping them realize it Laughing

or just watching the machine Laughing

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Wed Apr 20, 2005 4:47 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Sentinel related advisory #043 will be out tomorrow, because i was today busy with #042 - Vulns in Coppermine Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 20, 2005 7:03 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




Yeah some admins are good some bad Smile
Some admins thanks to you and give you avaibility to test host and help him patch and give toy account for free who cost many dollars....
Some admins just call the police that someone try to hack him or hacked his system... then you have problem....
If admin is good in his job he understand the risk of security when is broken.

So ... best admins are who broke security of some servers or some scritps, software thats is a truth
View user's profile Send private message
PostPosted: Thu Apr 21, 2005 9:05 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Yeah those people who find all these holes and dont get the credit. I spose its because they release the exploits aswell that they dont mention it.
Look at heintz he found that big problem with phpBB and they didnt even bother to mention his name or any thing because he released the exploit.

BTW I dont like the phpBB crew whatso ever.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
is there a way to bypass protection?
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 3
Goto page Previous1, 2, 3Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds