phpnuke79-sql.txt

`/*  
--------------------------------------------------------  
[N]eo [S]ecurity [T]eam [NST] - Advisory 31 - 2007-01-13  
--------------------------------------------------------  
Program: PHP-Nuke  
Homepage: http://www.phpnuke.org  
Vulnerable Versions: PHP-Nuke <= 7.9  
Risk: Medium  
Impact: Medium Risk  
  
-==PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability==-  
---------------------------------------------------------  
  
- Description  
---------------------------------------------------------  
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.  
  
- Tested  
---------------------------------------------------------  
localhost & many sites  
  
- Vulnerability Description  
---------------------------------------------------------  
  
In /blocks/block-Old_Articles.php the "cat" variable is not sanitized correctly. Here is the vulnerable code:  
  
==[ /blocks/block-Old_Articles.php 33-40 ]=========================  
if ($categories == 1) {  
$querylang = "where catid='$cat'";  
} else {  
$querylang = "";  
if ($new_topic != 0) {   
$querylang = "WHERE topic='$new_topic'";  
}  
}  
==[ end /blocks/block-Old_Articles.php 33-40 ]=====================  
  
  
Note that register_globals must be On, because the "cat" variable is not defined anywhere. Also, the $querylang variable is   
used after to get some database data:  
  
==[ /blocks/block-Old_Articles.php 49 ]=============================  
[...]  
$result = $db->sql_query("SELECT sid, title, time, comments FROM ".$prefix."_stories $querylang ORDER BY time DESC LIMIT $storynum, $oldnum");  
[...]  
==[ end /blocks/block-Old_Articles.php 49]==========================  
  
  
Then we have a link that contains the data taken from the database:  
  
==[ /blocks/block-Old_Articles.php 94-97-101]=======================  
[...]  
$boxstuff .= "<tr><td valign=\"top\"><strong><big>&middot;</big></strong></td><td> <a href=\"modules.php?name=News&file=article&sid=$sid$r_options\">$title</a> $comments</td></tr>\n";  
==[ end /blocks/block-Old_Articles.php 94-97-101 ]==================  
  
  
So, in resume, if we set "categories" var to 1 by the GET method and then we set "cat" (also by the GET method) to a malicio  
us sql code, we can get easily the admin data with a UNION statement. If you don't how to bypass the PHP-Nuke SQL Protection  
just read this advisory:   
http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-SQL-Injection-and-Bypass-SQL-Injection-Protection-vulnerabilities-27.html  
  
magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix  
used for the database tables ("nuke_" by default).  
  
==Pseudo-Code Proof of Concept exploit==  
<?  
/*  
  
Neo Security Team - Pseudo-Code Proof of Concept Exploit  
PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability  
  
http://www.neosecurityteam.net  
Paisterist  
  
*/  
set_time_limit(0);  
$host="localhost";  
$path="/phpnuke/";  
$port="80";  
$fp = fsockopen($host, $port, $errno, $errstr, 30);  
  
if ($fp) {  
/* we put the GET request on $p variable, with "cid" with the malicious code and "categories" set to 1. */  
  
fwrite($fp, $p);  
  
while (!feof($fp)) {  
$content .= fread($fp, 4096);  
}  
  
preg_match("/([a-z0-9]{32})/", $content, $matches);  
  
if ($matches[0])  
print "<b>Hash: </b>".$matches[0];  
}  
?>  
==Pseudo-Code Proof of Concept exploit==  
  
Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.  
  
- How to fix it? More information?  
--------------------------------------------------------  
  
You can found a patch on http://www.neosecurityteam.net/foro/  
  
Also, you can modify the source code adding in the /index.php file some like this:  
  
$cat = ($_GET['cat']) ? filter($_GET['cat'], "nohtml") : '';  
  
That's a momentary solution to the problem. I recommend to get the PHP-Nuke 8.0 version.  
  
- References  
--------------------------------------------------------  
http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-Old-Articles-Block-cat-SQL-Injection-vulnerability-31.html  
http://www.neosecurityteam.net/advisories/PHP-Nuke--7.9-SQL-Injection-and-Bypass-SQL-Injection-Protection-vulnerabilities-27.html  
  
  
- Credits  
--------------------------------------------------------  
Old-Articles Block SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com  
  
[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/  
  
  
- Greets  
--------------------------------------------------------  
HaCkZaTaN, K4P0, Daemon21, Link, 0m3gA_x, NitRic, LINUX, nitrous, m0rpheus, nikyt0x, KingMetal, Knightmare and the NST community.  
  
Latinoamerica EXISTS!!  
  
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@  
'@@@@@''@@'@@@''''''''@@''@@@''@@  
'@@'@@@@@@''@@@@@@ @@@'''''@@@  
'@@'''@@@@'''''''''@@@''''@@@  
@@@@''''@@'@@@@@@@@@@''''@@@@@  
  
/* EOF */  
`