16.4 PHP-Nuke Examples

This section covers some of the example attacks against PHP-Nuke, a free, open source web site framework written in PHP. The application runs on many platforms (Windows, Linux, Unix) and can interface with multiple databases (MySQL, MS SQL, Oracle, etc). It can be downloaded from http://www.phpnuke.org.

In order to follow along, please install the application on your system; Linux installation directions are provided for convenience. Keep in mind that it should not be used for any production purposes.

16.4.1 Installing PHP-Nuke

We assume that you have a modern Linux system. PHP-Nuke requires that MySQL, PHP, and Apache are installed. You might also need to install the following RPM packages, if you are using Red Hat Linux (all of these are included in the distribution; some other prerequisites might need to be satisfied):

• mysql

• httpd

• php

• php-mysql

The application is surprisingly easy to install and configure and will produce a flexible database-driven web site, complete with all the latest SQL injection vulnerabilities, in minutes.

Follow these steps to get the application up and running:

1. Download the application:

    $ wget http://umn.dl.sourceforge.net/sourceforge/phpnuke/PHP-Nuke-6.5.tar.gz 

2. Unpack the resulting archive:

    $ tar zxf PHP-Nuke-6.5.tar.gz 

3. Start the database server:

    # /etc/init.d/mysql start 

4. Create the database using the MySQL administrator tool:

    # mysqladmin create nuke 

5. Create all the required database structures using the included "nuke.sql" tool:

    # cd sql ; mysql nuke < nuke.sql 

6. Copy the unpacked files to a location "visible" to the web server (such as /var/www/html/nuke ).

7. Start the Apache web server:

    # /etc/init.d/httpd start 

8. Browse http://127.0.0.1/nuke/html/ . This should show the site up and running.

9. Go to http://127.0.0.1/nuke/html/admin.php . Now, create an administrator password to configure the application.

16.4.2 Attacks

We are ready to hit PHP-Nuke with everything we have. If you search Google for "PHP-Nuke SQL hack" you will find dozens of different holes and attack URLs. Here we will demonstrate an attack that saves confidential data into a file.

Launch a browser and access the following URL: ^[8]

^[8] This attack was first publicized by Frogman in this post: http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0146.html.

http://127.0.0.1/nuke/html/banners.php?op=Change&cid=`%20OR%201=1%20INTO%20OUTFILE%20'/tmp/secret.txt

Now, check the system where PHP-Nuke is running. In the /tmp directory, a file is created which contains the passwords needed to update the banners on the site. Note that those are not the default passwords for site access but rather are the banner passwords, which might not exist by default. In this case, the file will end up empty. The file will be owned by the user "mysql".

Let's look at the above attack URL in more detail. We will split it into parts and explain each of them, as in Table 16-8.

Table 16-8. The attack URL

This URL contains some of the attack elements we have studied. There is an evil quote character, an "OR 1=1" blast, and a SQL command. Note that we do not use any UNIONs or SELECTs but instead go for the less common INTO OUTFILE.

So we could see what we've accomplished, we started the "mysql" database in logging mode (using the " ”log" flag), which logs all the executed SQL queries in a file (usually /var/lib/mysql/query.log ). In the case of this attack, we find the following statement in the log:

 SELECT passwd FROM nuke_bannerclient WHERE cid='' OR 1=1 INTO OUTFILE '/tmp/secret.txt' 

This command runs on the "mysql" server and dumps the output into a file, just as desired by the attacker. It can be loosely divided into the legitimate part ("SELECT passwd FROM nuke_bannerclient WHERE cid=''") and the injected part ("OR 1=1 INTO OUTFILE `/tmp/secret.txt''").

There are dozens of other possible attacks against this application; look for them and try them on your system (for educational purposed only, of course). Run SQL in debug mode to observe the malicious queries.

16.4.3 Defenses

The code was fixed to patch some of the vulnerabilities used above after they were disclosed. Let's look at some applied fixes.

The above exploit was caused by the following PHP code within the "banners.php" module, in the change_banner_url_by_client( ) function:

 $sql = "SELECT passwd FROM ".$prefix."_bannerclient WHERE cid='$cid'"; 

The function is called from another location within the same script:

 case "Change": change_banner_url_by_client($login, $pass, $cid, $bid, $url, $alttext); break; 

The unfortunate variable $cid is populated by the client's request, which leads to the SQL injection.

This bug can be easily fixed by making sure that $cid contains only numbers (as it should). The PHP function is_numeric( ) can be used to accomplish this. Another fix, suggested by the original researcher of this bug, is also valid. It uses the PHP command $cid=addslashes($cid) to escape any special characters and thus neutralize attacks. It was such an easy thing to fix, but sadly was slow to be done. At least three subsequent versions of PHP-Nuke came out with the same vulnerability.