发布日期:2013-07-24
更新日期:2013-07-27
受影响系统:
VBulletin VBulletin 4.0.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 61449
VBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。
VBulletin 4.0.x没有有效过滤'update_order'变量,即将其用在语句中,在实现上存在SQL注入漏洞,成功利用后允许攻击者执行未授权数据库操作。
<*来源:n3tw0rk
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
The exploit is caused due to a variable named 'update_order' not being
sanitized before being used within an insert into statement.
if ($_REQUEST['do'] == 'update_order')
{
$vbulletin->input->clean_array_gpc('r', array(
'force_read_order' => TYPE_ARRAY
));
if ($vbulletin->GPC['force_read_order'])
{
foreach ($vbulletin->GPC['force_read_order'] AS $threadid => $order)
{
$db->query_write("
UPDATE " . TABLE_PREFIX . "thread AS thread
SET force_read_order = '$order'
WHERE threadid = '$threadid'
");
}
}
POC
You will need Admincp Access then go to
site.com/admincp/force_read_thread.php then in the force read order colum
put a ' into one of them to show this
Database error in vBulletin 4.2.1:
Invalid SQL:
UPDATE thread AS thread
SET force_read_order = '1''
WHERE threadid = '5161';
MySQL Error : You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'5161'' at line 2
Error Number : 1064
Request Date : Thursday, July 25th 2013 @ 01:20:52 AM
Error Date : Thursday, July 25th 2013 @ 01:20:52 AM
Script :
?do=update_order
Referrer :
IP Address :
Username : n3tw0rk
Classname :
MySQL Version :
建议:
--------------------------------------------------------------------------------
厂商补丁:
VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: