Re: NukeSentinel Bypass SQL Injection & Nuke Evolution <= 2.0.3 SQL Injections
Perhaps you did not report this to me first (or at all) because if you had I
would have told you how these do not work and how you were wrong. Which I
guess would mean that you could not post this. It is the only explanation I
can come up with.
There is no excuse for not contacting an author before posting one of these. I
am totally accessible though numerous channels of contact on the Evolution
site. Please contact me first next time.
Now to point out the mistakes you made in this post.
With the exception of News/read_article.php all of the lines have been fixed or
removed since of v2.0.0 Final. That said <= v2.0.0 Final is no longer
available from us and we have told everyone to upgrade to it since late last
year. It (<= v2.0.0) was completely depreciated on Feb 28th of this year.
Even so the security features protects the older site from having any of these
work. Hence why I will not fix any of these but the read_article.
But in effort to be fair (even though you were not) I will go over each point
you have made.
Bug 1 (the sentinel bypass) will not work, and has not worked in any version of
Evo. If you look at the st_clean_string function in that file you will see
"%2f" gets changed to "%20" in any lines before it is checked for UNION or
CLIKE.
Testing your example in all versions of Evo resulted in a block from sentinel
and no data getting passed back. Even the live headers do not show a valid
hack.
If you were to disable Sentinel, it still doesn't work. If you look in the db
layer you will see each query gets checked for a UNION before being executed.
If a UNION is found it is broken up. So again your exploit does not work.
If you disable both sentinel and the db layer security, only then will any of
the examples you gave will work. In order to do this you have to manually
remove the sentinel include and the union checking function in the db layer.
Your_Account/index.php - Has been fixed since v2.0.0 RC2 (which is also
deprecated) by:
$username = Fix_Quotes($_REQUEST['username']);
News/read_article.php - Your only semi valid point and will be fixed in the
next release. Though as stated before is not exploitable unless both layers of
security have been manually removed.
Donate/index.php - This module was completely removed in v2.0.0 RC1 (which is
also deprecated).
Please feel free to contact me if you feel that I am wrong or have any other
information.