π¨ CVE-2024-34102 Exploit Script π¨ Description This script exploits a Server-Side Request Forgery (SSRF) vulnerability in Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. The vulnerability allows for arbitrary code execution by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction. Installation π₯ Clone the repository: sh git clone https://github.com/Chocapikk/CVE-2024-34102.git cd CVE-2024-34102 π¦ Install the required packages: sh pip install -r requirements.txt Usage Basic Command sh python exploit.py -u <target_url> -f <file_to_read> Example sh python exploit.py -u https://target.com -f /etc/passwd Options -u, βurl (required): Specify the target URL or domain. -f, βfile (optional): Specify the file to read from the server. Default is /etc/passwd. How It Works Initialization: Input: Target URL and file to read (default: /etc/passwd) Disable security warnings Generate Callback URL: Create a unique DTD file containing malicious XML entities. Host the DTD file on fars.ee. Print the created callback URL and the file to be read. Obtain Instance ID: Obtain an instance ID from the SSRF API. Send Malicious Request: Construct a request with the malicious DTD URL. Send the request to the target URL. Check Exploitation Success: Check instance logs from the SSRF API. Decode and display the exfiltrated data if the exploitation is successful. β¦Read More