Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-1999-1053 PoC — Matt Wright GuestBook远程执行任意命令漏洞

Source
https://github.com/siunam321/CVE-1999-1053-PoC
Associated Vulnerability
Title:Matt Wright GuestBook远程执行任意命令漏洞 (CVE-1999-1053)
Description:guestbook.pl cleanses user-inserted SSI commands by removing text between "<!--" and "-->" separators, which allows remote attackers to execute arbitrary commands when guestbook.pl is run on Apache 1.3.9 and possibly other versions, since Apache allows other closing sequences besides "-->".
Description
CVE-1999-1053 Proof-of-Concept Exploit
Readme
# CVE-1999-1053 Proof-of-Concept Exploit

## Background

This Proof-of-Concept(PoC) exploit is inspired from a CTF web challenge called `CVE 1999` in HKCERT CTF 2022. (Writeup [link](https://siunam321.github.io/ctf/HKCERT-CTF-2022/Web/CVE-1999/))

## Information

**Description:** In Matt Wright Guestbook <= 2.3.1, there is a Server-Side Include injection vulnerability that allows unauthenticated user to execute arbitrary code.
**Original author:** Patrick
**Original Exploit-DB link:** https://www.exploit-db.com/exploits/9907

## Proof-of-Concept Exploit

### Description

> The Matt Wright `guestbook.pl` <= v2.3.1 CGI script contains a flaw that may allow arbitrary command execution. The vulnerability requires that HTML posting is enabled in the `guestbook.pl` script, and that the web server must have the Server-Side Include (SSI) script handler enabled for the '`.html`' file type. By combining the script weakness with non-default server configuration, it is possible to exploit this vulnerability successfully. (From [Exploit-DB](https://www.exploit-db.com/exploits/9907))

### Installation

```bash
wget https://raw.githubusercontent.com/siunam321/CVE-1999-1053-PoC/main/CVE-1999-1053-PoC.py
```

### Usage/Exploitation

- `-u` or `--url` to supply the target full URL
- `-p` or `--payload` to supply the payload

### Screenshot

![](https://github.com/siunam321/CVE-1999-1053-PoC/blob/main/images/poc1.png)

![](https://github.com/siunam321/CVE-1999-1053-PoC/blob/main/images/poc2.png)

![](https://github.com/siunam321/CVE-1999-1053-PoC/blob/main/images/poc3.png)
File Snapshot

 [4.0K]  /data/pocs/d96db0472a12b935f040be6c0cd6bb09ebcea5cf
├── [2.7K]  CVE-1999-1053-PoC.py
├── [4.0K]  images
│   ├── [ 38K]  poc1.png
│   ├── [ 47K]  poc2.png
│   └── [ 50K]  poc3.png
└── [1.5K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →