PROGRAM: Nuke-Evolution & NukeSentinel
HOMEPAGE: http://www.nuke-evolution.com/
VERSION: All versions
BUG 1 NukeSentinel Bypass SQL Injection Protection
BUG 2 Nuke Evolution <= 2.0.3 SQL Injections vulnerabilities
AUTHOR: Aleksandar
NukeSentinel Bypass SQL Injection Protection
nukesentinel.php Line 270-290
// Check for UNION attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[1];
if($blocker_row['activate'] > 0) {
if (stristr($nsnst_const['query_string'],'+union+') OR stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'/union/') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'+union+') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'/union/') OR stristr($nsnst_const['query_string_base64'],' union ')) {
// block_ip($blocker_row);
die("BLOCK IP 1 " );
}
}
// Check for CLIKE attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[2];
if($blocker_row['activate'] > 0) {
if (
stristr($nsnst_const['query_string'],'/') OR
stristr($nsnst_const['query_string_base64'],'/') OR
stristr($nsnst_const['query_string'],'/') OR
stristr($nsnst_const['query_string_base64'],'/')) {
// block_ip($blocker_row);
die("BLOCK IP 2 " );
}
}
Example(Bypass SQL Injection Protection):
PHPNuke + NukeSentinel
http://localhost/php-nuke/?%2f**%2fUNION%2f**%2fSELECT … etc
Nuke-Evolution + NukeSentinel
http://localhost/nuke-evolution/?%2f**%2fUNION%2f**%2fSELECT … etc
Nuke-Evolution Basic 2.0.3
Open source content management system, which features customizable blocks, modules, multilanguage support and themes. With importance on security, speed and usability.
A PHP-Nuke based CMS with added security, functionality, and core improvements.
Site:http://www.nuke-evolution.com/
Your_Account/index.php
Vulnerability code:
case "userinfo":
//include("modules/$module_name/public/userinfo.php");
/[BEGIN]*************************************
[ Mod: YA Merge v1.0.0 ]
*****/
//The "$username" variable isn't filtered!!!
$result = $db->sql_query("SELECT user_id FROM ".$user_prefix."_users WHERE username='$username'<pre><br>");
$uid = $db->sql_fetchrow($result);
Header("Location: modules.php?name=Profile&mode=viewprofile&u=".$uid[0]);
die();
/[END]
[ Mod: YA Merge v1.0.0 ]
******************************************************/
break;
Results:
MOZILA FIREFOX
URL BAR/ADDRESS BAR: http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH
MOZILA FIREFOX
Live HTTP Headers - Firefox Add-ons
http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH
GET /nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
News/read_article.php line 66
Vulnerability code:
++++++++++++++++++++++++++++++++++
// //The "'$sid" variable isn't filtered!!!
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";
$result = $db->sql_query($sql);
++++++++++++++++++++++++++++++++++
FIX
++++++++++++++++++++++++++++++++++
$sid= intval($sid); // FIX
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";
$result = $db->sql_query($sql);
++++++++++++++++++++++++++++++++++
Donate/index.php line 33 & 46
Vulnerability code:
if (is_numeric($uid)) { // LOL :)
$uid = intval($uid); :) LOL
}
…
// Line 46
} elseif (!empty($uid)) {
include_once(NUKE_BASE_DIR.'header.php');
$sql = "SELECT username FROM ".$user_prefix."_users where user_id='$uid'"; // BOOM - > SQL injection
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$name = $row['username'];
FIX
++++++++++++++++++++++++++++++++++++++
///if (is_numeric($uid)) { REMOVE THIS LINE
$uid = intval($uid);
///} REMOVE THIS LINE
++++++++++++++++++++++++++++++++++++++
Best Regards
Aleksandar
Programmer and Web Developer