61 lines
No EOL
1.1 KiB
Text
61 lines
No EOL
1.1 KiB
Text
# Reference: http://www.ccat.edu.mx/advisors/advisor5/advisor5.html
|
|
# Credits: Ccat Research Labs - México - Coatepec, Ver. www.ccat.edu.mx
|
|
|
|
# Software Link: http://sourceforge.net/projects/mundimail/
|
|
# Tested on: Debian, Centos & Windows Server 2000
|
|
|
|
Preview:
|
|
|
|
Code uses System() and Exec() without good practices in security.
|
|
|
|
|
|
1.- First Vulnerable Code
|
|
|
|
//need to kill daemon
|
|
$cmd = "/bin/kill";
|
|
$cmd .= " " . $_REQUEST["mypid"];
|
|
system($cmd);
|
|
|
|
2.- Explotation
|
|
|
|
/admin/satus/index.php?mypid=command;
|
|
|
|
|
|
3.- Fixation
|
|
|
|
|
|
$cmd .= " " . escapeshellcmd($_REQUEST["mypid"]);
|
|
|
|
4.- Second Vulnerable Code
|
|
|
|
$cmd = ROOTDIR . "include/massmail.php";
|
|
$cmd .= ' ' . $_REQUEST["idtag"];
|
|
$cmd .= ' > /dev/null';
|
|
$cmd .= ' &';
|
|
echo $cmd . "<br>\n";
|
|
exec($cmd);
|
|
$mid = "../mail/success.php";
|
|
|
|
5.- Explotation
|
|
|
|
/admin/status/index.php?idtag=command;
|
|
|
|
|
|
6.-fixation
|
|
|
|
$cmd .= ' ' . escapeshellcmd($_REQUEST["idtag"]);
|
|
|
|
|
|
7.- Other
|
|
|
|
We Can use other types of Fixation bug this is an easy one ;)
|
|
|
|
|
|
8.- Greetz
|
|
|
|
www[dot]seguridadblanca[dot]com
|
|
|
|
|
|
--------------
|
|
Happy Hacking
|
|
-------------- |