Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-31630 PoC — OpenPLC 代码注入漏洞

Source
https://github.com/behindsecurity/htb-wifinetictwo-exploit
Associated Vulnerability
Title:OpenPLC 代码注入漏洞 (CVE-2021-31630)
Description:OpenPLC是一种开源的可编程逻辑控制器。可为自动化和研究提供低成本的工业解决方案。 OpenPLC v3 存在代码注入漏洞,该漏洞源于产品的web服务中 /hardware 页面的Hardware Layer Code Box组件未能过滤输入的特殊字符。攻击者可通过该漏洞执行系统命令。
Description
A simple python script to exploit CVE-2021-31630 on HTB WifineticTwo CTF
Readme
# CVE-2021-31630 Exploit PoC

This Python script is a Proof of Concept (PoC) exploit for CVE-2021-31630, targeting a vulnerability in OpenPLC running on the WifineticTwo box at HackTheBox. It is designed for educational purposes only, aiming to demonstrate the exploitation process in a controlled environment.

## Disclaimer

This tool is intended for security research and educational purposes only. Use of this tool for attacking targets without prior mutual consent is illegal. The developer will not be held responsible for any damages or criminal charges against users misusing this exploit.

## Prerequisites

Before running this exploit, ensure you have:

- Python 3 installed on your system.
- The `requests` library installed. You can install it using `pip install requests`.

## Usage

To use this exploit, you must specify the target's URL, the local host IP (LHOST), and the local port (LPORT) to which the reverse shell should connect back. Optionally, you can specify the username and password for OpenPLC if they differ from the default.

```shell
./exploit.py --target http://wifinetictwo.htb:8080 --lhost [LHOST] --lport [LPORT] [--usr [USERNAME] --pwd [PASSWORD]]
```

### Arguments

- `--target` - Target base address. Example: `http://wifinetictwo.htb:8080`
- `--lhost` - Local host IP address for the reverse shell to connect back to.
- `--lport` - Local port for the reverse shell to connect back to.
- `--usr` - (Optional) Username for OpenPLC. Default is `openplc`.
- `--pwd` - (Optional) Password for OpenPLC. Default is `openplc`.

## Features

- Automatically handles the login process using provided credentials.
- Crafts and uploads a malicious payload to achieve remote code execution.
- Initiates a reverse shell back to the attacker's specified IP and port.

## Exploit Process

1. **Login**: The script logs into the OpenPLC application using the provided credentials.
2. **Payload Crafting**: Dynamically crafts a malicious payload designed to initiate a reverse shell.
3. **Payload Upload**: Uploads the crafted payload to the server.
4. **Exploit Trigger**: Triggers the exploit by attempting to compile the uploaded malicious code, resulting in a reverse shell.


## Acknowledgements

- Special thanks to [Fellipe Oliveira](https://packetstormsecurity.com/files/162563/OpenPLC-WebServer-3-Remote-Code-Execution.html) who discovered and reported CVE-2021-31630.
- HackTheBox for providing a realistic environment to practice and learn about cybersecurity.
File Snapshot

 [4.0K]  /data/pocs/301bf2e4c83cb37a48e59d949b8dfa4c464950e7
├── [4.9K]  exploit.py
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.