nst-29.txt
Posted on 01 November 2006
------=_Part_94883_6292592.1162313436170 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline /* -------------------------------------------------------- [N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31 -------------------------------------------------------- Program: PHP-Nuke Homepage: http://www.php.net Vulnerable Versions: PHP-Nuke <= 7.9 Risk: Medium Impact: Medium Risk -==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability==- --------------------------------------------------------- - Description --------------------------------------------------------- PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. - Tested --------------------------------------------------------- localhost & many sites - Vulnerability Description --------------------------------------------------------- In /modules/Journal/search.php the "forwhat" variable is not sanitized correctly. Here is the vulnerable code: ==[ /modules/Journal/search.php 125-136 ]========================== [...] if ($bywhat == 'aid'): if ($exact == '1') { $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid DESC"; } else { $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid like '%$forwhat%' order by j.jid DESC"; } elseif ($bywhat == 'title'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.title like '%$forwhat%' order by j.jid DESC"; elseif ($bywhat == 'bodytext'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE '%$forwhat%' order by j.jid DESC"; elseif ($bywhat == 'comment'): $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u, ".$user_prefix."_journal_comments c WHERE u.username=j.aid and c.rid=j.jid and c.comment LIKE '%$forwhat%' order by j.jid DESC"; endif; [...] ==[ end /modules/Journal/search.php ]============================== magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix used for the database tables ("nuke_" by default). In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems. ==Pseudo-Code Proof of Concept exploit== <? /* Neo Security Team - Pseudo-Code Proof of Concept Exploit http://www.neosecurityteam.net Paisterist */ set_time_limit(0); $host="localhost"; $path="/phpnuke/"; $port="80"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $data=""; /* Here the variables, like "bywhat" and "forwhat", with the SQL Injection */ if ($fp) { /* we put the POST request on $p variable, sending the data saved on $data. */ fwrite($fp, $p); while (!feof($fp)) { $content .= fread($fp, 4096); } preg_match("/([a-z0-9]{32})/", $content, $matches); if ($matches[0]) print "<b>Hash: </b>".$matches[0]; } ?> ==Pseudo-Code Proof of Concept exploit== Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. - How to fix it? More information? -------------------------------------------------------- You can found a patch on http://www.neosecurityteam.net/foro/ Also, you can modify the line 61 of /modules/Journal/search.php, adding slashes before the simple quotes with the addslashes() function: ==[ /modules/Search/index.php 59-62 ]========================== [...] else : $forwhat = filter($forwhat, "nohtml"); $forwhat = addslashes(filter($forwhat, "nohtml")); endif; [...] ==[ end /modules/Search/index.php ]============================== That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not free at the moment. - References -------------------------------------------------------- http://www.neosecurityteam.net/index.php?action=advisories&id=29 - Credits -------------------------------------------------------- Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ - Greets -------------------------------------------------------- HaCkZaTaN K4P0 Daemon21 Link 0m3gA_x LINUX nitrous m0rpheus nikyt0x KingMetal Knightmare Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!! @@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@ '@@@@@''@@'@@@''''''''@@''@@@''@@ '@@'@@@@@@''@@@@@@ @@@'''''@@@ '@@'''@@@@'''''''''@@@''''@@@ @@@@''''@@'@@@@@@@@@@''''@@@@@ /* EOF */ -- Paisterist Neo Security Team http://neosecurityteam.net ------=_Part_94883_6292592.1162313436170 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline <br clear="all">/*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31<br>--------------------------------------------------------<br>Program: PHP-Nuke<br> Homepage: <a href="http://www.php.net">http://www.php.net</a><br>Vulnerable Versions: PHP-Nuke <= 7.9<br>Risk: Medium<br>Impact: Medium Risk<br><br>-==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability==- <br>---------------------------------------------------------<br><br>- Description<br>---------------------------------------------------------<br>PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases. <br><br>- Tested<br>---------------------------------------------------------<br>localhost & many sites<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>In /modules/Journal/search.php the "forwhat" variable is not sanitized correctly. Here is the vulnerable code: <br><br>==[ /modules/Journal/search.php 125-136 ]==========================<br>[...]<br>if ($bywhat == 'aid'):<br> if ($exact == '1') {<br> $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status , j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid DESC";<br> } else { <br> $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid like '%$forwhat%' order by j.jid DESC";<br> } elseif ($bywhat == 'title'):<br> $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.title like '%$forwhat%' order by j.jid DESC";<br> elseif ($bywhat == 'bodytext'):<br> $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id , u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE '%$forwhat%' order by j.jid DESC";<br> elseif ($bywhat == 'comment'):<br> $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u, ".$user_prefix."_journal_comments c WHERE u.username=j.aid and c.rid=j.jid and c.comment LIKE '%$forwhat%' order by j.jid DESC";<br> endif;<br>[...]<br>==[ end /modules/Journal/search.php ]==============================<br><br>magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix <br> used for the database tables ("nuke_" by default).<br><br>In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems. <br><br>==Pseudo-Code Proof of Concept exploit==<br><?<br>/*<br><br>Neo Security Team - Pseudo-Code Proof of Concept Exploit<br><a href="http://www.neosecurityteam.net">http://www.neosecurityteam.net</a><br>Paisterist<br> <br>*/<br>set_time_limit(0);<br>$host="localhost";<br>$path="/phpnuke/";<br>$port="80";<br>$fp = fsockopen($host, $port, $errno, $errstr, 30);<br>$data=""; /* Here the variables, like "bywhat" and "forwhat", with the SQL Injection */ <br><br>if ($fp) {<br> /* we put the POST request on $p variable, sending the data saved on $data. */<br><br> fwrite($fp, $p);<br><br> while (!feof($fp)) {<br> $content .= fread($fp, 4096);<br> }<br><br> preg_match("/([a-z0-9]{32})/", $content, $matches);<br><br> if ($matches[0])<br> print "<b>Hash: </b>".$matches[0];<br>}<br>?><br>==Pseudo-Code Proof of Concept exploit==<br><br> Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.<br><br>- How to fix it? More information?<br>--------------------------------------------------------<br><br>You can found a patch on <a href="http://www.neosecurityteam.net/foro/">http://www.neosecurityteam.net/foro/</a><br><br>Also, you can modify the line 61 of /modules/Journal/search.php, adding slashes before the simple quotes with the addslashes() function: <br><br>==[ /modules/Search/index.php 59-62 ]==========================<br>[...]<br>else :<br> $forwhat = filter($forwhat, "nohtml");<br> $forwhat = addslashes(filter($forwhat, "nohtml"));<br> endif; <br>[...]<br>==[ end /modules/Search/index.php ]==============================<br><br>That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not <br>free at the moment. <br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=29">http://www.neosecurityteam.net/index.php?action=advisories&id=29 </a><br><br>- Credits<br>--------------------------------------------------------<br>Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com<br><br>[N]eo [S]ecurity [T]eam [NST] - <a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>Daemon21<br>Link<br>0m3gA_x<br>LINUX<br> nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br>Knightmare<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@ <br>'@@'''@@@@'''''''''@@@''''@@@<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br><br>-- <br>Paisterist<br><br>Neo Security Team <a href="http://neosecurityteam.net">http://neosecurityteam.net</a> ------=_Part_94883_6292592.1162313436170--
