WWWThread 多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195268 漏洞类型 SQL注入
发布时间 2006-04-21 更新时间 2006-04-25
CVE编号 CVE-2006-1958 CNNVD-ID CNNVD-200604-401
漏洞平台 N/A CVSS评分 6.4
|漏洞来源
https://cxsecurity.com/issue/WLB-2006040066
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-401
|漏洞详情
WWWThreadsRC3存在多个SQL注入漏洞。这使得远程攻击者可以借助于(1)传递到register.php中的forumreferrercookie和(2)message_list.php中的messages参数执行任意SQL命令。
|漏洞EXP
// --- WWWThread RC 3 MultBugs --- //

* D3vil-0x1 | Devil-00
    * www.securitygurus.net
    * Gr33tz
    	- HACKERS PAL | n0m3rcy | -

&
                		All Others << i forgot them :))

//---------------------------------//

//---------------------------------// [ Bug 1 ] //---------------------------------//

// File name :- register.php
// Bug :- Remote [ _COKKIE['forumreferrer] ] SQL Injection

/* Code
	//
if(isset($_COOKIE["forumreferrer"]))
	{
		$referral_id = $_COOKIE["forumreferrer"];
		$result = $db->query('SELECT referral_count FROM '.$db->prefix.'users WHERE id='.$referral_id) 		  or error(mysql_error(), __FILE__, __LINE__, $db->error());
		list($referral_val) = $db->fetch_row($result);
		$rval = $referral_val[0] + 1;
		$db->query('UPDATE '.$db->prefix.'users SET referral_count='. $rval . ' WHERE id='.$				  referral_id) or error(mysql_error(), __FILE__, __LINE__, $db->error());
	}
    //
*/

Fix :-

/*
$referral_id = intval($_COOKIE["forumreferrer"]);
*/

//---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------// //---------------------------------//

//---------------------------------//  [ Bug 2 ] //---------------------------------//

// File name :- message_list.php
// Bug :- Remote SQL Injection

/* Code

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
	if( isset($_POST['delete_messages_comply']) )
	{
		confirm_referrer('message_list.php');
		$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.$_POST['messages'].') AND owner=			''.$forum_user['id'].''') or error(mysql_error(), __FILE__, __LINE__, $db->error());
		redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
	}

*/

// Fix :-

Replace with this code :D

if( isset($_POST['delete_messages']) || isset($_POST['delete_messages_comply']) )
{
	if( isset($_POST['delete_messages_comply']) )
	{
		confirm_referrer('message_list.php');
		$db->query('DELETE FROM '.$db->prefix.'messages WHERE id IN('.intval($_POST['messages']).') AND owner=			''.$forum_user['id'].''') or error(mysql_error(), __FILE__, __LINE__, $db->error());
		redirect('message_list.php?box='.$_POST['box'], $lang_pms['Deleted redirect']);
	}

// Exploit

- Resend This Requsit By HTTPLiveHeaders :D -

messages=[SQL]&box=0&delete_messages_comply=Delete
|参考资料

来源:BID
名称:17615
链接:http://www.securityfocus.com/bid/17615
来源:BUGTRAQ
名称:20060419WWWThreadRC3MultBugs
链接:http://www.securityfocus.com/archive/1/archive/1/431400/100/0/threaded
来源:XF
名称:wwwthreads-multiple-sql-injection(25936)
链接:http://xforce.iss.net/xforce/xfdb/25936
来源:VUPEN
名称:ADV-2006-1447
链接:http://www.frsirt.com/english/advisories/2006/1447
来源:SREASON
名称:739
链接:http://securityreason.com/securityalert/739
来源:SECUNIA
名称:19732
链接:http://secunia.com/advisories/19732