|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
PHP Nuke <= 7.8 Multiple SQL Injections |
|
Posted: Tue Sep 13, 2005 4:31 pm |
|
|
darkclaw |
Regular user |
|
|
Joined: Aug 04, 2005 |
Posts: 14 |
|
|
|
|
|
|
|
|
|
|
|
|
So, how do I use |
|
Posted: Wed Sep 14, 2005 6:40 pm |
|
|
webjunky |
Regular user |
|
|
Joined: Jun 25, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
SO how do I use this?
What URL should I use to make a new admin with pass=coolpass and admin=waraxe?
NewAngels Advisory #7]PHP Nuke <= 7.8 Multiple SQL Injections
========================================================================
=====
Software: PHP Nuke 7.8
Type: SQL Injections
Risk: High
Date: Sep. 10 2005
Vendor: PHP-Nuke (phpnuke.org)
Credit:
=======
Robin 'onkel_fisch' Verton from it-security23.net
Description:
============
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet.
The Administrator has total control of his web site, registered users, and he will have in the hand
a powerful assembly of tools to maintain an active and 100% interactive web site using databases.
[http://www.phpnuke.org/]
Vulnerability:
==============
PHP Nuke 7.8 is prone to multiple SQL injection vulnerabilities.
These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries.
In the modules.php
$result = $db->sql_query("SELECT active, view FROM ".$prefix."_modules WHERE title='$name'");
The $name variable is not checked so you could inject malicious SQL Code. In an file which is included whe have the following code:
$queryString = strtolower($_SERVER['QUERY_STRING']);
if (stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'/*') OR stripos_clone($queryString,'*/union/*') OR stripos_clone($queryString,'c2nyaxb0')) {
header("Location: index.php");
die();
}
[...]
if (!ini_get("register_globals")) {
import_request_variables('GPC');
}
So you can use UNION in a GET var. But because they use register_globals or impor_request_variables you can send
the malicous SQL-Code via POST so it is not checked if you insert an "union".
http://www.example.com/modules.php POST: name=' OR 1=1/*
will produce an error, neither
http://www.example.com/modules.php POST: name=' OR 1=2/*
will only tell you taht the requestet 'modul' is not active, so you can read out the admin password hahs via blind injections.
Additionaly there are a few SQL-Injections in the modules.
Here a few examples:
http://www.example.com/modules.php?name=News&file=article&sid=[SQL] - here the same as above, send this via POST to
bypass the 'union'-cover
http://www.example.com/modules.php?name=News&file=comments&Reply&pid=[SQ
L]
http://www.example.com/modules.php?name=News&file=comments&op=Reply&pid=
[SQL]
http://www.example.com/modules.php?name=News&file=comments&op=Reply&sid=
[SQL]
Greets:
==============
CyberDead, atomic, sirius_
Whole secured-pussy.de Team
Zealots |
|
|
|
|
|
|
|
|
Posted: Sat Sep 17, 2005 1:21 pm |
|
|
darkclaw |
Regular user |
|
|
Joined: Aug 04, 2005 |
Posts: 14 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Sat Sep 17, 2005 4:14 pm |
|
|
zer0-c00l |
Advanced user |
|
|
Joined: Jun 25, 2004 |
Posts: 72 |
Location: BRAZIL! |
|
|
|
|
|
|
anyone has this exploit already compiled? |
|
|
|
|
Posted: Sun Sep 18, 2005 6:52 am |
|
|
AnalCunt |
Beginner |
|
|
Joined: Sep 03, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
zer0-c00l wrote: | anyone has this exploit already compiled? |
omfg. |
|
|
|
|
Posted: Sun Sep 18, 2005 5:52 pm |
|
|
zer0-c00l |
Advanced user |
|
|
Joined: Jun 25, 2004 |
Posts: 72 |
Location: BRAZIL! |
|
|
|
|
|
|
|
|
|
|
|
... |
|
Posted: Wed Sep 21, 2005 6:37 pm |
|
|
cluster |
Regular user |
|
|
Joined: Nov 13, 2004 |
Posts: 8 |
|
|
|
|
|
|
|
when I try it I only see cccccccccccccc like
[~] Folder: //
[!] Searching password for user with id : 2
[!] Please wait...
[+] Password: cccccccccccccccccccccccccccccccc
any idea?... |
|
|
|
|
|
Re: ... |
|
Posted: Fri Sep 23, 2005 12:06 am |
|
|
Pi0u |
Regular user |
|
|
Joined: Sep 23, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
cluster wrote: | when I try it I only see cccccccccccccc like
[~] Folder: //
[!] Searching password for user with id : 2
[!] Please wait...
[+] Password: cccccccccccccccccccccccccccccccc
any idea?... |
The same for me , i duno how to fix it :s |
|
|
|
|
Posted: Sat Sep 24, 2005 8:34 pm |
|
|
diegocure15 |
Active user |
|
|
Joined: Sep 22, 2004 |
Posts: 27 |
|
|
|
|
|
|
|
how did you do it? i been trying for 10 days and nothing yet. |
|
|
|
|
Posted: Fri Oct 07, 2005 10:09 am |
|
|
Soickan |
Beginner |
|
|
Joined: Oct 07, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
my compile file.
Sample: test.so
But, usage command ?
Pls help me. |
|
|
|
|
Posted: Thu Nov 03, 2005 9:01 am |
|
|
goblin |
Regular user |
|
|
Joined: Nov 03, 2005 |
Posts: 8 |
|
|
|
|
|
|
|
the exploit is tested ?
thanx,this post |
|
|
|
|
Posted: Thu Nov 03, 2005 12:40 pm |
|
|
KingOfSka |
Advanced user |
|
|
Joined: Mar 13, 2005 |
Posts: 61 |
|
|
|
|
|
|
|
i compiled and tested this exploit locally on my linux box, it works perfectly, but the target site must have mysql => 4.0 , when you get "ccccc" it should be because the target was patched or was using an older version of mysql |
|
|
|
|
Posted: Mon Jul 31, 2006 12:45 am |
|
|
Elewyn |
Beginner |
|
|
Joined: Feb 03, 2006 |
Posts: 3 |
|
|
|
|
|
|
|
Hi !
I have one question; how to send one script via Post method?
Sorry for my english! |
|
|
|
|
|
Re: ... |
|
Posted: Fri Aug 01, 2008 10:14 am |
|
|
Dj_Asim |
Beginner |
|
|
Joined: Jul 31, 2008 |
Posts: 3 |
|
|
|
|
|
|
|
Pi0u wrote: | cluster wrote: | when I try it I only see cccccccccccccc like
[~] Folder: //
[!] Searching password for user with id : 2
[!] Please wait...
[+] Password: cccccccccccccccccccccccccccccccc
any idea?... |
The same for me , i duno how to fix it :s |
Secured? patched |
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|