... then we will see standard php error messages, revealing full path to script:
Warning: fsockopen() expects parameter 2 to be long, string given in D:\apache_wwwroot\nuke72\admin\modules\blocker_query.php on line
305
Port foobar does not appear to be open.
Reason is, that script does not check validity of the portNum, which must be integer in range of 1..65535.
B. Cross-site scripting aka XSS (in integrated Network Query Tool)
B1 - XSS through unsanitaized user submitted variable "target"
As we can see, $last_page has value of the urldecoded QUERY_STRING. So if we will add to query
string something like %27, then after urldecode() we have "'" (single quote) and this can be
beginning of the brand new sql injection case. Let's look further:
###################################
#Page Tracker Function by Kipuka
#
###################################
if ($tracker_del_on == 1) {
$max_tracker_check = $db->sql_query("SELECT count(*) as count FROM ".$prefix."_blocked_pagetracker WHERE id_tracker
= '$access_id'");
$numrows = $db->sql_numrows($max_tracker_check);
if ($numrows > 0) {
list($count) = $db->sql_fetchrow($max_tracker_check);
}
//die("$last_page");
if ($count < $tracker_max_b) {
$db->sql_query("INSERT DELAYED INTO ".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) VALUES ('$last_page',
'$date', '$access_id')");
} else {
$tracker_limitB = $count - $tracker_max_b;
$result = $db->sql_query("SELECT id FROM ".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id' ORDER BY
page_date LIMIT ".$tracker_limitB.",1");
$numrows = $db->sql_numrows($result);
if ($numrows > 0) {
$row = $db->sql_fetchrow($result);
$page_id = $row['id'];
$db->sql_query("DELETE FROM ".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id' AND id <= '$page_id'");
}
$xxx = mysql_error();
die("$xxx");
$db->sql_query("INSERT INTO ".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) VALUES ('$last_page',
'$date', '$access_id')");
}
}
So, sql injection possibility exists, but not in "SELECT FROM" clause, but in "INSERT INTO" construction. So forget the
UNION and JOIN tricks. And MySql version 4.1 is not yet in wide use, so we can't use subselects ...
Therefore this is noncritical sql injection case, but anyway, potential attacker can use this security hole to
accomplish some tasks by using of the built-in mysql functions like:
Because attacker does'nt have the visual feedback from script, "blindfolded" methods must be used, for example
"benchmark" method. This can be implemented in perl (php, python, etc...) script, using http requests similar to this:
I have written proof of concept code in perl for this exploit and it works perfectly.
D. Easy bypass of the anti-sql-injection filters
Protector System implements various filters against XSS and sql injection. Examples:
...
//IF the user sending any $_SERVER["HTTP_REFERER"] then continue
if (strlen($_SERVER["HTTP_REFERER"]) > 0) {
//If the user is POSTing from another server do a scan
if(eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\.\.\/", $sTemp) && !ereg("(http://$_SERVER[HTTP_HOST])", $_SERVER["HTTP_REFERER"]))
{
$original_ip = long2ip(-(4294967296-$ipcheck));
$the_error = "User $the_blocked_user with IP $original_ip tried to send information thru a POST method\r\n"
...
if(eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\.\.\/", $sTemp))
{
//Just send a mail incase =)
if ($pro_mail && $pro_mail != '' && $mail_blocker == '1') { mail($pro_mail, $blocker_subject, $the_unset_error, $headers); }
unset($_POST[$FormFieldName]);
echo "<p><h1>Your Attempt to use SQL exploit was blocked</h1>";
echo "<i>Powered whit Protector System</i>";
die();
}
}
...
if($sec_cookieB == '1')
foreach ($_COOKIE as $cookie_name => $value_cookie) {
$result = $db ->sql_query("SELECT cookie FROM ".$prefix."_blocked_agent WHERE cookie = '$cookie_name'");
if($db->sql_numrows($result)>0 && !empty($_COOKIE))
{
if (eregi("union\ |&#?[a-zA-Z0-9]+;|:\/\/|\.\.\/|[$<>{}\(\)\"'`]", $value_cookie)) {
$value_cookie = htmlspecialchars($value_cookie, ENT_QUOTES);
setcookie($cookie_name,"", time() - 3600);
unset($_COOKIE[$cookie_name]);
}
...
###########################################################################
#Block unvanted GET code!
#Security scan of REQUEST_METHOD GET
This whitepaper, written by Ofer Maor and Amichai Shulman, describes various methods to
bypass sql injection detection and the final conclusion is:
"At this point, we believe the conclusion of this paper is clear to the
reader. Signature protection against SQL Injection is simply not
enough. Although this paper demonstrates only some of the variety
of evasion techniques for avoiding SQL Injection signatures, some or
even all of these techniques are likely to operate on most of today's
signature protection mechanisms."
I`m hundred percent agree with this. So let's try to fool sql injection filters in
Protector System in practice. First, we make request like this:
It is a lot better when all the Php-Nuke Experts work together on creating security measures.
In your post, you have Charserv and Raven offering solutions. Then here we have Zhen's new script.
I will implement all changes asap...
Stephen2417 Major
Joined: Dec 26, 2003
Posts: 1135
Location: Bristolville, OH (US)
Posted:
Sun Apr 25, 2004 8:11 am
Can some one post what the fix is at nukefixes.. Im havin computer problems and im gettin a dns error.
Im waiting for someone to help me on CCSP..
MisterWORK Support Mod
Joined: Jun 11, 2003
Posts: 245
Posted:
Sun Apr 25, 2004 12:48 pm
To bad he didn't maild me. But thx to VinDSL who maild me of this. And as I said on my own suport site DELETE the file blocker_query.php .
This was just an 3.d party addon script i put in before my system even was a Protector system and just a ban system, and have no function directly used by my system. We can still use outsuíde query sites for this function so I say this again DELETE the file blocker_query.php.
And about the index.php?foobar%27,IF bla bla i think I can just use the function addslashes ( string str);
So now we "only" have the U/**/NION thing left and as I just post this as a very fast answer (have bearly read the whole Multiple vulnerabilities in Protector System thing)
I myselves tried that and cant get any data from my db. Might be me who just missunderstand the whole U/**/NION thing here, but when i tried white the real UNI0N then I get data. But i promiss i will look at this and others whit me (i hope )
_________________ Protector System for phpNuke.
<b>Current Version Released: 1.15.b2( 05/12-04) </b>
Support site: http://protector.warcenter.se
foxyfemfem Support Staff
Joined: Jan 23, 2003
Posts: 668
Location: USA
Posted:
Sun Apr 25, 2004 1:59 pm
Hello Mister,
My blocker.php file has this...
//$db->sql_query("INSERT INTO ".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) values ('$last_page', '$date', '$access_id')");
*Note the line in question is comment out. If this is comment out, does that mean it's still vulnerable and I still need to add......
addslashes($last_page); before that statement?
_________________ If you shoot for the moon and miss, you'll still be amongst the stars.
genoxide Sergeant
Joined: Jun 19, 2003
Posts: 80
Posted:
Sun Apr 25, 2004 7:29 pm
foxyfemfem, repeate your search and u will find out that there is another line with the same code mister told us
_________________
bohrme Sergeant
Joined: Nov 10, 2003
Posts: 104
Location: Fall River, MA
Posted:
Mon Apr 26, 2004 6:19 pm
Couldn't a substitution take place (somewhere) on the URI that replaces all instances of /*(any character)*/ with a null?
This little snippets works to clear out that /**/ nonsense:
That is already sorted but thnks for your info.. I will release a fixed blocker.php file later on today. You must visit my site for info about that later. http://protector.warcenter.se
_________________ Protector System for phpNuke.
<b>Current Version Released: 1.15.b2( 05/12-04) </b>
Support site: http://protector.warcenter.se
bohrme Sergeant
Joined: Nov 10, 2003
Posts: 104
Location: Fall River, MA
Posted:
Tue Apr 27, 2004 2:55 am
Will this new blocker.php be 1.15.xx specific or can it be used with 1.14.xx as well? I'm sure there are many people out there who have yet to upgrade.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
)
