[翻译]Chipmunk论坛存在多处SQL注入漏洞
翻译网站:[url]http://www.bnso.net/[/url]翻译:Z.C.Y[B.C.T]
资料来源:[url]http://www.securiteam.com/unixfocus/5WP041PEUM.html[/url]
GHC vision提供资料摘要:
Chipmunk论坛是一个小而灵活完全有自己特色的论坛系统。
由于Chipmunk论坛的PHP脚本过滤不充分,导致远程攻击者利用此漏洞插入任意SQL声明到存在的声明中,允许他获得论坛的高级权限,
改变用户信息,获得密码等等。
漏洞细节:
漏洞脚本 getpassword.php
漏洞代码:
if(isset($_POST['submit']))
{
$email=$_POST['email'];
$getinfo="SELECT * from b_users where email='$email'";
...
mail("$email","Your Forum password","Your forum password has been set to $value");
利用方法:
利用email:[email]ghc@ghc.ru[/email]' or username='Administrator 就能得改变管理员帐号密码("Administrator"必须是一个有效的用户名)
-------------------------------------------------------------
漏洞脚本 authenticate.php
漏洞代码:
$username=$_POST['user'];
$password=$_POST['password'];
$password=md5($password);
$query = "select * from b_users where username='$username' and password='$password' and validated='1'";
利用方法:
在login.php页面用Administrator'/*登录
--------------------------------------------------
漏洞脚本edit.php
漏洞代码:
if(isset($_POST['ID']))
{
$ID=$_POST['ID'];
}
else
{
$ID=$_GET['ID'];
}
$checking="SELECT * from b_posts,b_users where b_users.userID=b_posts.author and b_posts.ID='$ID'";
可以通过$ID变量来注入SQL声明
------------------------------------------
漏洞脚本search.php
漏洞代码:
$searchterm=$_POST['searchterm'];
$getthreads="SELECT * from b_posts where post like '%$searchterm%' and threadparent='0' order by telapsed DESC limit $start, 50";
可以通过$searchterm参数注入SQL声明
-----------------------------------------
漏洞脚本 newtopic.php
漏洞代码:
$name=$_POST['name'];
$title=$_POST['title'];
$post=$_POST['post'];
$day=date("D M d, Y H:i:s");
$timegone=date("U") ;
if($_POST['nosmiley'])
...
$name=strip_tags($name);
$title=strip_tags($title);
$post=strip_tags($post);
$posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, postforum,lastpost,nosmilies,ipaddress) values ('$name', '$title', '$post', '$day', '$timegone','$forumID','$user','$nosmiley','$s')";
mysql_query($posting) or die("could not post");
可以通过$name, $title, 和 $post参数来注入SQL声明
--------------------------------------------------------
漏洞脚本 reguser.php
漏洞代码:
$username=$_POST['username'];
$password=$_POST['password'];
$signature=$_POST['signature'];
$pass2=$_POST['pass2'];
$usercheck="SELECT*from b_users where username='$username' or email='$email'";
...
if ($password==$pass2 && $_POST['password'])
{
$password=md5($password);
$supervalue=$value;
$daycte("U");
$email=$_POST['email'];
$location=$_POST['location'];
$aim=$_POST['aim'];
$showprofile=$_POST['showprofile'];
$icq=$_POST['icq'];
$seedval=$day#0000;
srand($seedval);
$key=RAND(1000000,2000000);
if($requirekey=="no"||$requirekey=="No") //if you do no require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, email, location, AIM, ICQ, showprofile, validated) values ('$username', '$password', '$signature', '$email', '$location', '$aim', '$icq', '$showprofile', '1')";
mysql_query($SQL) or die(mysql_error());
}
else //you require an activation key
{
$SQL ="INSERT into b_users (username, password, sig, keynode, email, location, AIM, ICQ, showprofile) values ('$username', '$password', '$signature', '$key', '$email', '$location', '$aim', '$icq', '$showprofile')";
mysql_query($SQL) or die(mysql_error());
mail("$email","Your forum activation key","Paste the URL to activate your account.
$boardpath/activate.php?username=$username&password=$password&keynode=$key");
}
可以通过注册表单的变量来注入SQL声明。
页:
[1]