Xoops存在SQL注入缺陷

		当前位置：主页>安全文章>文章资料>漏洞资料>文章内容

Xoops存在SQL注入缺陷

来源：vittersafe.yeah.net 作者：vitter 发布时间：2003-12-09

Xoops存在SQL注入缺陷

涉及程序：
XOOPS 1.3.X版,2.0.X版到2.0.5版

描述：
Xoops存在SQL注入缺陷

详细：
XOOPS是一款用PHP编写的动态WEB站点程序。

XOOPS程序banners.php文件中的代码存在错误，允许未经授权的用户重定义本地变量并注入SQL命令：
<?

[...]

function EmailStats($login, $cid, $bid, $pass)
{
global $xoopsDB, $xoopsConfig;
$result2 = $xoopsDB->query("select name, email from
".$xoopsDB->prefix("bannerclient")." where cid=$cid");
list($name, $email) = $xoopsDB->fetchRow($result2);
if ( $email == "" ) {
redirect_header("banners.php",3,"There isn't an email associated with
client ".$name.".<br />Please contact the Administrator");

exit();
} else {
$result = $xoopsDB->query("select bid, imptotal, impmade, clicks,
imageurl, clickurl, date from ".$xoopsDB->prefix("banner")." where bid=$bid
and cid=$cid");
list($bid, $imptotal, $impmade, $clicks, $imageurl, $clickurl, $date) =
$xoopsDB->fetchRow($result);
[...]

$fecha = date("F jS Y, h:iA.");
$subject = "Your Banner Statistics at ".$xoopsConfig[sitename]."";
$message = "Following are the complete stats for your advertising
investment at ". $xoopsConfig['sitename']." :\n\n\nClient Name:
$name\nBanner ID: $bid\nBanner Image: $imageurl\nBanner URL:
$clickurl\n\nImpressions Purchased: $imptotal\nImpressions Made:
$impmade\nImpressions Left: $left\nClicks Received: $clicks\nClicks Percent:
$percent%\n\n\nReport Generated on: $fecha";
$xoopsMailer =& getMailer();
$xoopsMailer->useMail();
$xoopsMailer->setToEmails($email);
$xoopsMailer->setFromEmail($xoopsConfig['adminmail']);
$xoopsMailer->setFromName($xoopsConfig['sitename']);
$xoopsMailer->setSubject($subject);
$xoopsMailer->setBody($message);
$xoopsMailer->send();
redirect_header("banners.php?op=Ok&login=$login&pass=$pass",3,"Stati
stics
for your banner has been sent to your email address.");
//include "footer.php";
exit();
}
}

function change_banner_url_by_client($login, $pass, $cid, $bid, $url)
{
global $xoopsDB;
$result = $xoopsDB->query("select passwd from
".$xoopsDB->prefix("bannerclient")." where cid=".$cid."");
list($passwd) = $xoopsDB->fetchRow($result);
if ( $pass == $passwd ) {
$xoopsDB->queryF("update ".$xoopsDB->prefix("banner")." set
clickurl='".$url."' where bid=".$bid."");
}
redirect_header("banners.php?op=Ok&login=$login&pass=$pass",3,"URL
has been changed.");
//include "footer.php";
exit();
}

[...]

switch ( $op ) {
case "Change":
change_banner_url_by_client($login, $pass, $cid, $bid, $url);
break;
case "EmailStats":
EmailStats($login, $cid, $bid, $pass);
break;
[...]
}

攻击者通通过向目标服务器提交精心构造的下列格式的URL请求能触发该缺陷：
http://[target]/banners.php?op=EmailStats&cid=1%20AND%20passwd%20LIKE%20'a%'/*

攻击方法：
示例代码：
http://[target]/banners.php?op=EmailStats&cid=1%20AND%20passwd%20LIKE%20'a%'/*

解决方案：
用下列代码替换banners.php文件中的change_banner_url_by_client()函数：
function change_banner_url_by_client($login, $pass, $cid, $bid, $url)
{
global $xoopsDB;
if ( !empty($cid) AND !empty($bid) AND !empty($pass) ){
$result = $xoopsDB->query("select passwd from
".$xoopsDB->prefix("bannerclient")." where cid='".$cid."'");
list($passwd) = $xoopsDB->fetchRow($result);
if ( $pass == $passwd ) {
$xoopsDB->queryF("update ".$xoopsDB->prefix("banner")." set
clickurl='".$url."' where bid='".$bid."'");
}
redirect_header("banners.php?op=Ok&login=$login&pass=$pass",3,"URL
has been changed.");
//include "footer.php";
}
exit();
}

在“switch($op) {”前添加下列代码：
$cid = intval($cid);
$bid = intval($bid);

目前厂商未公布该缺陷补丁，请用户及时关注厂商站点：
http://www.xoops.org/

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统致命漏洞。
·南方数据企业网站管理系统V10.0
·动网（DVBBS）Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码，常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day

推荐广告