Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16739
HistoryApr 17, 2007 - 12:00 a.m.

PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities

2007-04-1700:00:00
vulners.com
16

PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities


PROGRAM: PHP-Nuke
HOMEPAGE: http://phpnuke.org/
VERSION: All version
BUG: PHP Nuke <= 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections vulnerabilities
AUTHOR: Aleksandar


Let's look at source code from mainfile.php line 435


//Union Tap
//Copyright Zhen-Xjell 2004 http://nukecops.com
//Beta 3 Code to prevent UNION SQL Injections
unset($matches);
unset($loc);
if(isset($SERVER['QUERY_STRING'])) {
if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$SERVER['QUERY_STRING']), $matches)) {
die('Illegal Operation 1');
}
}
if(!isset($admin) OR (isset($admin) AND !is_admin($admin))) {
$queryString = $SERVER['QUERY_STRING'];
if (($SERVER['PHP_SELF'] != "/index.php") OR !isset($url))
{
if (stristr($queryString,'http://')) die('Illegal Operation 2');
}
if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/')) OR (stristr($queryString,'/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
die('Illegal Operation 3');
}
}
______________________________________

So we can se different filters. :)

Let’s start whit a testing:

TEST 1
http://localhost/nuke/?/*
So we will se this message: Illegal Operation 3

TEST 2
http://localhost/nuke/?&#37;2f*

Yeah - we got through :)

TEST 3
http://localhost/?&#37;20UNION&#37;20SELECT

Illegal Operation 1

TEST 4
http://localhost:8080/html80/?&#37;2f**/UNION&#37;2f**/SELECT

Yeah - we got through :)

PATCH:


if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'%2f')) OR (stristr($queryString,'/')) OR (stristr($queryString,'/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) {
die('Illegal Operation');
}


Multiple SQL Injection vulnerability in Web_Links, News and Download module

+++++++++++++++++++++++++++

PHP.ini
Magic Quotes = OFF
Register Global = ON
+++++++++++++++++++++++++++

Now Let's look at source code from Web_Links/index.php:

Vulnerability function

function viewlinkcomments($lid) {
global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
include("header.php");
include("modules/$module_name/l_config.php");
menu(1);
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); // BUG —> $lid
$ttitle = filter($row['title'], "nohtml");
$lid = intval(trim($lid)); //WTF?<===== lol ??? :):):):):)
echo "<br>";

How to fix:

Add $lid = intval(trim($lid)); before $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));


function viewlinkcomments($lid) {
global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file;
include("header.php");
include("modules/$module_name/l_config.php");
menu(1);
$lid = intval(trim($lid)); // FIX
$row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'"));
$ttitle = filter($row['title'], "nohtml");
//$lid = intval(trim($lid)); // REMOVE THIS LINE !!!
echo "<br>";


Vulnerability Functions:

function viewlinkcomments($lid) {
function viewlinkeditorial($lid){
function viewlinkcomments($lid){
function ratelink($lid, $user) {

The "$lid" variable isn't filtered, so if we bypass the sql injection protection we can execute arbitrary sql commands.

SQL Injection vulnerability in Downloads
Vulnerability Functions:

function viewdownloadeditorial($lid) {
function viewdownloadcomments($lid) {
function ratedownload($lid, $user) {

The "$lid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands.

SQL Injection vulnerability in News
Vulnerability Function:

function rate_complete($sid, $rated=0, $score) {

The "$sid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands.

Best Regards
Aleksandar
Programmer and Web Developer