Latest SQL Injection Feedback.
Date: Wednesday, April 14 @ 17:39:01 CEST
Topic: PHP-Nuke

Janek Vind has posted his latest PHP-Nuke Exploit entitled:
waraxe-2004-SA#018 - Admin-level authentication bypass in phpnuke 6.x-7.2 After reviewing this exploit against phpnuke 6.8, 6.9, and 7.0 all patched with previously available patches we discovered this bypass doesn't work.We did confirm unpatched phpnuke versions are affected

You may review Janek's article on BUGTRAQ, either by a web reflector or usenet or the mailing list itself. Once again, the key to this bypass working is this section of code: From admin.php line 16
if (preg_match("/?admin/", "$checkurl")) { echo "die"; exit;
If you have changed this code to:
if ((!(strpos("$checkmyurl", "?admin=") === FALSE)) || (!(strpos("$checkmyurl", "&admin=") === FALSE))) { echo "die - email Jeruvy for details"; exit;
Then the whole thing fails. The entire discussion of this code is reviewable right here on nukecops.com so you can see for yourself that this is neither new nor a problem for those who apply the patches. So if you start seeing:
http://localhost/nuke71/admin.php?op=AddAuthor&add_aid=waraxe2&add_name=God&add_pwd=coolpass&add_email=foo@bar.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox
In your server logs you can thank Janek.
One thing worth noting is the base64 encoded UNION, nicely obsfucates it.

J.
j e r u v y a t y a h o o d o t c o m





This article comes from NukeCops
http://www.nukecops.com

The URL for this story is:
http://www.nukecops.com/modules.php?name=News&file=article&sid=1914