Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: PHP :: c07-1886.htm

PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability

PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability
PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability

[N]eo [S]ecurity [T]eam [NST] - Advisory 31 - 2007-01-13
Program: PHP-Nuke
Vulnerable Versions: PHP-Nuke <= 7.9
Risk: Medium
Impact: Medium Risk

-==PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability==-

- Description
PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.

- Tested
localhost & many sites

- Vulnerability Description

In /blocks/block-Old_Articles.php the "cat" variable is not sanitized correctly. Here is the vulnerable code:

==[ /blocks/block-Old_Articles.php 33-40 ]========================if ($categories == 1) {
   	$querylang = "where catid='$cat'";
    } else {
	$querylang = "";
	if ($new_topic != 0) {=09
	    $querylang = "WHERE topic='$new_topic'";
==[ end /blocks/block-Old_Articles.php 33-40 ]====================

Note that register_globals must be On, because the "cat" variable is not defined anywhere. Also, the $querylang variable is 
used after to get some database data:

==[ /blocks/block-Old_Articles.php 49 ]============================[...]
$result = $db->sql_query("SELECT sid, title, time, comments FROM ".$prefix."_stories $querylang ORDER BY time DESC LIMIT $storynum, $oldnum");
==[ end /blocks/block-Old_Articles.php 49]=========================

Then we have a link that contains the data taken from the database:

==[ /blocks/block-Old_Articles.php 94-97-101]======================[...]
$boxstuff .= "· $title $comments\n";
==[ end /blocks/block-Old_Articles.php 94-97-101 ]=================

So, in resume, if we set "categories" var to 1 by the GET method and then we set "cat" (also by the GET method) to a malicio
us sql code, we can get easily the admin data with a UNION statement. If you don't how to bypass the PHP-Nuke SQL Protection
 just read this advisory: 

magic_quotes_gpc php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix
 used for the database tables ("nuke_" by default).

==Pseudo-Code Proof of Concept exploit= 

$fp = fsockopen($host, $port, $errno, $errstr, 30);

if ($fp) {
    /* we put the GET request on $p variable, with "cid" with the malicious code and "categories" set to 1. */

    fwrite($fp, $p);

    while (!feof($fp)) {
        $content .= fread($fp, 4096);

    preg_match("/([a-z0-9]{32})/", $content, $matches);

    if ($matches[0])
    print "Hash: ".$matches[0];
==Pseudo-Code Proof of Concept exploit=
Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.

- How to fix it? More information?

You can found a patch on 

Also, you can modify the source code adding in the /index.php file some like this:

$cat = ($_GET['cat']) ? filter($_GET['cat'], "nohtml") : '';

That's a momentary solution to the problem. I recommend to get the PHP-Nuke 8.0 version.

- References

- Credits
Old-Articles Block SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - 

- Greets
HaCkZaTaN, K4P0, Daemon21, Link, 0m3gA_x, NitRic, LINUX, nitrous, m0rpheus, nikyt0x, KingMetal, Knightmare and the NST community.

Latinoamerica EXISTS!!

'@@'@@@@@@''@@@@@@ @@@'''''@@@

/* EOF */

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH