MSAPer | CVE-2023-3076 - MStore API

Automatic Mass Tool for check and exploiting vulnerability in CVE-2023-3076 - MStore API < 3.9.9 - Unauthenticated Privilege Escalation (Mass Add Admin + PHP File Upload)

• Using GNU Parallel. You must have parallel for run this tool.
  
• If you found error like "$'\r': command not found" just do "dos2unix msaper.sh"

Install Parallel

• Linux : apt-get install parallel -y
  
• Windows : You can install WSL (windows subsystem linux) then do install like linux
  if you want use windows (no wsl), install GitBash then do this command for install parallel:
  [#] curl pi.dk/3/ > install.sh
  [#] sha1sum install.sh | grep 12345678
  [#] md5sum install.sh
  [#] sha512sum install.sh
  [#] bash install.sh
  

How To Use

• Make sure you already install Parallel! Then do:
• [#] git clone https://github.com/im-hanzou/MSAPer.git
• [#] cd MSAPer && chmod +x msaper.sh
• [#] For Linux or WSL: ./msaper.sh list.txt thread
• [#] For Gitbash: TMPDIR=/tmp ./msaper.sh list.txt thread

Reference

• https://nvd.nist.gov/vuln/detail/CVE-2023-3076
• https://wpscan.com/vulnerability/ac662436-29d7-4ea6-84e1-f9e229b44f5b
• https://github.com/advisories/GHSA-gwr5-qqvh-c57m

Disclaimer:

• This tool is for educational purposes only. Use it responsibly and with proper authorization. The author is not responsible for any misuse.