漏洞平台

POC详情： 4802a99090dc6ee8d641c74f51c9a9fb8a976a95

来源

https://github.com/PlayerFridei/CVE-2024-28987

关联漏洞

标题： SolarWinds Web Help Desk 信任管理问题漏洞 (CVE-2024-28987)
描述：SolarWinds Web Help Desk是美国SolarWinds公司的一套服务台和资产管理软件。该软件支持集中式知识库、IT资产管理、项目和任务管理等功能。 SolarWinds Web Help Desk存在信任管理问题漏洞，该漏洞源于受到硬编码凭证漏洞的影响，允许远程未经身份验证的用户访问内部功能并修改数据。

描述

CVE-2024-28987 Scanner & Exploiter - SolarWinds Web Help Desk

介绍

# CVE-2024-28987 Exploit & Scanner

A Python-based exploit and scanner for the **CVE-2024-28987** vulnerability affecting SolarWinds Web Help Desk. This tool enables security researchers to identify and interact with vulnerable endpoints and explore various potential vectors in the Web Help Desk system.

## Features

- **Vulnerability Detection**: Test if the target is vulnerable to CVE-2024-28987 by attempting to access the `/OrionTickets` endpoint.
- **Fetch Tickets**: Retrieve and save all helpdesk tickets from the vulnerable endpoint.
- **Experimental Features**: 
  - **Create Tickets**: Submit a new helpdesk ticket.
  - **Update Tickets**: Modify existing helpdesk ticket details.
  - **Delete Tickets**: Remove a helpdesk ticket by ID.
- **Colored Terminal Output**: Provides a visually clear interface with status messages in different colors for easy identification.

## Requirements

- Python 3.x
- `requests`
- **Note**: The script suppresses SSL warnings, as it's intended for use in secure testing environments.

## Installation

1. Clone the repository:
    ```bash
    git clone https://github.com/PlayerFridei/CVE-2024-28987
    cd CVE-2024-28987
    ```
2. Install required Python packages:
    ```bash
    pip install -r requirements.txt
    ```

## Usage

```bash
python3 exploit.py <target_ip>
```

### Example
```bash
python3 exploit.py 192.168.1.100
```

## Menu Options

1. **Fetch All Tickets**: Retrieve all helpdesk tickets and save them to `tickets.txt`.
2. **(Experimental) Create a New Ticket**: Add a new helpdesk ticket to the system (may not always succeed).
3. **(Experimental) Update an Existing Ticket**: Modify the subject and details of an existing helpdesk ticket.
4. **(Experimental) Delete a Ticket**: Attempt to delete a helpdesk ticket by providing its ID.
5. **Exit**: Exit the program.

### Notes
- The experimental features (create, update, delete) are provided for testing and exploration, educational and research purposes and may not always function correctly depending on system permissions and configurations.
- The tool is intended for **educational and authorized security testing only**. Always have permission to test and never use on unauthorized systems.

## Banner

The script comes with a custom ASCII banner for a personalized touch when running the tool.

# Disclaimer

By downloading and using this tool, you agree to the following terms:

1. The tool is provided without any warranty, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement.

2. The creator of the tool shall not be liable for any direct, indirect, incidental, special, consequential, or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data, or other intangible losses.

3. You understand and acknowledge that the tool is still under development and may not be fully polished. As such, it might contain bugs or other issues that could affect its performance.

4. You understand and acknowledge that the creator of the tool may, at their sole discretion, discontinue support for the tool at any time and without notice. This means that there is no guarantee of ongoing maintenance, updates, or technical assistance.

5. You agree to use the tool at your own risk and understand that the creator of the tool does not provide any assurances regarding its functionality, reliability, or suitability for any purpose.

6. The creator of the tool reserves the right to modify, suspend, or terminate the tool at any time, with or without cause, and without liability to you or any third party.

By downloading and using the tool, you acknowledge that you have read, understood, and agreed to these terms. If you do not agree with any part of these terms, you should not download or use the tool.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

文件快照


 [4.0K]  /data/pocs/4802a99090dc6ee8d641c74f51c9a9fb8a976a95
├── [9.5K]  exploit.py
├── [1.0K]  LICENSE
├── [3.9K]  README.md
└── [  17]  requirements.txt

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。