exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

waraxe-2007-SA056.txt

waraxe-2007-SA056.txt
Posted Sep 28, 2007
Authored by Janek Vind aka waraxe | Site waraxe.us

NukeSentinel version 2.5.11 suffers from another critical SQL injection vulnerability.

tags | advisory, sql injection
SHA-256 | 751572a1ba8344ba43dfda90368c4ff5c343d4c58e533eea361458d6dc46e8a5

waraxe-2007-SA056.txt

Change Mirror Download

[waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11
====================================================================

Author: Janek Vind "waraxe"
Date: 27. September 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-56.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Developer: http://www.nukescripts.net

NukeSentinel is anti-hacking sofware, used for protection phpnuke
against various security-related attacks.

Vulnerabilities: Critical Sql Injection in "nukesentinel.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's look at script "includes/nukesentinel.php" source code:

------------>[source code]<------------

function is_god($axadmin) {
global $db, $prefix, $aname;
$tmpadm = base64_decode($axadmin);
$tmpadm = explode(":", $tmpadm);
$aname = $tmpadm[0];
$apwd = $tmpadm[1];
if(!empty($aname) AND !empty($apwd)) {
$aname = trim($aname);
$apwd = trim($apwd);
$admrow = $db->sql_fetchrow($db->sql_query("SELECT * FROM
`".$prefix."_authors` WHERE `aid`='$aname'"));

------------>[/source code]<-----------

So as seen in code snippet above, data from "base64_decode()" function
is used in sql query without any sanityze.
Now is the question, which part of the code uses this function.
Here is the answer:

------------>[source code]<------------

// AUTHOR Protection
$blocker_row = $blocker_array[5];
if($blocker_row['activate'] > 0) {
if(isset($op) AND ($op=="mod_authors" OR $op=="modifyadmin" OR
$op=="UpdateAuthor" OR $op=="AddAuthor" OR $op=="deladmin2" OR
$op=="deladmin" OR $op=="assignstories" OR $op=="deladminconf")
AND !is_god($_COOKIE['admin'])) {
block_ip($blocker_row);
}
}
}

------------>[/source code]<-----------

It's easy to see, that $_COOKIE['admin'] variable will be used as argument
for "is_god()" function. And we have another critical sql injetion in place.
I have written proof-of-concept blind injection exploit for this specific
case and it's working flawlessly.
Happy news to potential victims - developer has allready patched this security
hole in NukeSentinel with releasing new version - 2.5.12

//-----> See ya soon and have a nice day ;) <-----//

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NukeSentinel's new version 2.5.12 is patched, so download it A.S.A.P.

http://www.nukescripts.net/modules.php?name=Downloads&op=getit&lid=1063


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, LINUX, y3dips, Sm0ke, Heintz, slimjim100, Chb
and anyone else who know me!
Greetings to Raido Kerna.
Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Geology readings - http://geology.oldreadings.com/
Biography Database - http://www.biosaxe.com/

---------------------------------- [ EOF ] ----------------------------
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close