CVE-2022-24637 PoC — Open Web Analytics Server 安全漏洞

Source

https://github.com/0xM4hm0ud/CVE-2022-24637

Associated Vulnerability

Title:Open Web Analytics Server 安全漏洞 (CVE-2022-24637)
Description:Open Web Analytics Server是用于Google Analytics 等商业 Web 分析工具的开源替代方案。 Open Web Analytics 1.7.4版本存在安全漏洞，该漏洞源于使用 php 生成的文件（而不是预期的 php 序列）不是由 PHP 解释器处理的。未经身份验证的攻击者可以通过缓冲哈希利用该漏洞获取敏感用户信息和管理员权限。

Description

Unauthenticated RCE in Open Web Analytics version <1.7.4

Readme

# CVE-2022-24637
Unauthenticated RCE in Open Web Analytics version &lt;1.7.4

This script is made to automate the CVE-2022-24637 vulnerability. I created this exploit for my Hackthebox machine vessel. https://app.hackthebox.com/machines/Vessel

The exploit and idea is based on https://devel0pment.de/?p=2494


## exploit

Run the script with the following parameters:

`python3 exploit.py http://<url>/ newPassword YourIp YourPort`

It might be possible that you need to run it a few times to get a shell.

The script can be improved.

![img](exploit.jpg)

File Snapshot


 [4.0K]  /data/pocs/0758312f196fa9da004c91253e14dcbbe866a066
├── [4.3K]  CVE-2022-24637.py
├── [132K]  exploit.jpg
└── [ 557]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!