Giter VIP home page Giter VIP logo

cve-2024-34102's Introduction

๐Ÿšจ CVE-2024-34102 Exploit Script ๐Ÿšจ

Description

This script exploits a Server-Side Request Forgery (SSRF) vulnerability in Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. The vulnerability allows for arbitrary code execution by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Installation

  1. ๐Ÿ“ฅ Clone the repository:

    git clone https://github.com/Chocapikk/CVE-2024-34102.git
cd CVE-2024-34102

  2. ๐Ÿ“ฆ Install the required packages:

    pip install -r requirements.txt

Usage

Basic Command

python exploit.py -u <target_url> -f <file_to_read>

Example

python exploit.py -u http://target.com -f /etc/passwd

Options

  • -u, --url (required): Specify the target URL or domain.
  • -f, --file (optional): Specify the file to read from the server. Default is /etc/passwd.

How It Works

  1. Initialization:

    • Input: Target URL and file to read (default: /etc/passwd)
    • Disable security warnings

  2. Generate Callback URL:

    • Create a unique DTD file containing malicious XML entities.
    • Host the DTD file on fars.ee.
    • Print the created callback URL and the file to be read.

  3. Obtain Instance ID:

    • Obtain an instance ID from the SSRF API.

  4. Send Malicious Request:

    • Construct a request with the malicious DTD URL.
    • Send the request to the target URL.

  5. Check Exploitation Success:

    • Check instance logs from the SSRF API.
    • Decode and display the exfiltrated data if the exploitation is successful.

  6. Cleanup:

    • Clear instance logs.
    • Delete the instance.

  7. Output Result and Finish:

    • Print whether the target URL is vulnerable or not.

Example Output

[+] Created Callback URL: https://fars.ee/abcd1234.dtd
[+] File to be read: /etc/passwd
[+] Decoded Exploited Data: 
root:x:0:0:root:/root:/bin/bash
...
[+] Vulnerable URL: http://target.com

Notes

  • โš ๏ธ Disclaimer: This script is for educational purposes only. Unauthorized use of this script against a target without permission is illegal.
  • ๐Ÿ’ก Tip: Always ensure you have permission to test a target system for vulnerabilities.

Credits

  • โค๏ธ Credits to @th3gokul & Sanjaith3hacker for the original code base.

cve-2024-34102's People

Contributors

chocapikk avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.